Тёмный

Hack JWT using JSON Web Tokens Attacker BurpSuite extensions 

thehackerish
Подписаться 46 тыс.
Просмотров 43 тыс.
50% 1
ВидеоПоделитьсяСкачатьДобавить в

In this video, you will hack a vote feature by exploiting a JWT implementation weakness using two BurpSuite extensions: JSON Web Tokens and JSON Web Tokens Attacker (JOSEPH).
- Download your FREE Web hacking LAB: thehackerish.com/owasp-top-10...
- Read more on the blog: thehackerish.com
- Support this work: thehackerish.com/how-to-support
- Facebook Page: / thehackerish
- Follow us on Twitter: / thehackerish
- Listen on Anchor: anchor.fm/thehackerish- Listen on Spotify: open.spotify.com/show/4Ht8jEb...
- Listen on Google Podcasts: podcasts.google.com/?feed=aHR...

Опубликовано:

 

11 ноя 2020

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 49   
@sundar3357
@sundar3357 3 года назад
You are explaining everything well. Thanks man.
@thehackerish
@thehackerish 3 года назад
Welcome! Enjoy!
@ajaykumark107
@ajaykumark107 3 года назад
Idea for next video: Burp bounty Extension. All videos currently on youtube have no voice over. Please cover this extension in depth as you did for JWT tokens. Great job again!
@thehackerish
@thehackerish 3 года назад
Thanks for the suggestions!
@theotimeforestier7647
@theotimeforestier7647 3 года назад
Very well explained
@uliun2344
@uliun2344 3 года назад
Suite is pronounced as "sweet". Thanks for the great content.
@user-zl9dy6hz2q
@user-zl9dy6hz2q 3 года назад
Can u upload all the vulnerability related JWT and garphQL
@pooloverflow
@pooloverflow 3 года назад
nice content
@laggybot1327
@laggybot1327 3 года назад
very nice
@anik6393
@anik6393 3 года назад
You are the best one😘.
@thehackerish
@thehackerish 3 года назад
You are as well!
@ajaykumark107
@ajaykumark107 3 года назад
Please create more content!!
@JuanBotes
@JuanBotes 3 года назад
thanks
@whatiknowtech6887
@whatiknowtech6887 3 года назад
Quick one sir , how do I craft a new timestamp in the JWT payload. Gained a new Subscriber , thank you very much kindly do in depth tutorials on burp extensions .
@thehackerish
@thehackerish 3 года назад
run on the terminal: date +%s
@cricketworld4165
@cricketworld4165 23 дня назад
in this process we find upcoming period or number sir!!
@muddassirkhan5953
@muddassirkhan5953 3 года назад
is all the token is base64 encode or it depends on the application?
@thehackerish
@thehackerish 3 года назад
You will always find the same structure. It doesn't depend on the application, it is a standard.
@ashpakpinjari9214
@ashpakpinjari9214 3 года назад
Bro make video on burpbounty,burp collaborator everywhere and X-Forwarded-For extension. Awaiting for your video.
@thehackerish
@thehackerish 3 года назад
Thanks for your suggestion!
@hackerproxy19
@hackerproxy19 3 года назад
one video cover the all (burp suite extensions), can you
@thehackerish
@thehackerish 3 года назад
That would result in a very loooong video which I cannot make unfortunately.
@capleprajapati5575
@capleprajapati5575 3 года назад
1) For the highlighted request with comment as "Contains a JWT", it shows token in Response and not in the Request. Why the request is not having JWT? Also the request which has token is not highlighted with Contains a JWT. 2) The JWT token comes after we login with correct UserID and Password. It does not show before we login into the page. Is this correct? Is this how it is supposed to be?
@thehackerish
@thehackerish 3 года назад
1- The extension detects whenever there is a JWT token either in the request or the response. 2- Yes, JWT tokens are usually used after authentication, in this case using a username and a password
@zer0six472
@zer0six472 Год назад
I know am a little late but great video thank you very much well explained 🙏🤘
@thehackerish
@thehackerish Год назад
Never late, welcome!
@nihagurung8980
@nihagurung8980 3 года назад
My laptop says “AuthSdkError: The JWT was issued in the future”.. Can you please help me?
@thehackerish
@thehackerish 3 года назад
set the iat field of the JWT to a correct timestamp I guess.
@ca7986
@ca7986 3 года назад
♥️
@cyberpirate007
@cyberpirate007 3 года назад
Bro make a video on WAF bypass extension plzzz
@Nirusvlogs
@Nirusvlogs 3 года назад
Nice. So what the secure way to implement JWT token.
@thehackerish
@thehackerish 3 года назад
Validate the signature. Use strong keys for HSxxx, prefer RSA, etc
@Nirusvlogs
@Nirusvlogs 3 года назад
@@thehackerish Thank you so much! But while hacking your removing the signature if use RSA also still you can hack using xss or csfr attacks right. I am having this issuein my website. I want your advise😀
@thehackerish
@thehackerish 3 года назад
@@Nirusvlogs JWT will protect against CSRF if not put in a cookie. However, XSS would exfiltrate the JWT. In this case, you can implement proof-of-possession tools.ietf.org/html/rfc7800.
@crazyfun782
@crazyfun782 3 года назад
Take ❤️❤️❤️❤️
@thehackerish
@thehackerish 3 года назад
@gowanotv4050
@gowanotv4050 2 года назад
Bad token; invalid alg
@neeleshneelesh7964
@neeleshneelesh7964 3 года назад
Hi can you hack carrom pool gems and coins please
@thehackerish
@thehackerish 3 года назад
Nope, sorry!
@neeleshneelesh7964
@neeleshneelesh7964 3 года назад
Can you send me file carrom
@Stas1983ful
@Stas1983ful Год назад
Sorry, How add in burp in request JSON WEB TOKENS?
Далее
Find vulnerabilities using Software Vulnerability Scanner BurpSuite extension and Wappalyzer
15:19
Find vulnerabilities using Software Vulnerability Scanner BurpSuite extension and Wappalyzer
Просмотров 8 тыс.
Cracking JSON Web Tokens
14:34
Cracking JSON Web Tokens
Просмотров 55 тыс.
It seems Sonya's choice was obvious! 😅 #cat #cats
00:20
It seems Sonya's choice was obvious! 😅 #cat #cats
Просмотров 779 тыс.
Генерала Попова, освобождённого из СИЗО, встречают соратники #суд #попов #shorts
00:20
Генерала Попова, освобождённого из СИЗО, встречают соратники #суд #попов #shorts
Просмотров 1,3 млн
D3 BMW XM LABEL Король.
31:52
D3 BMW XM LABEL Король.
Просмотров 833 тыс.
This provides a better entry to the car 💡! 2025 Porsche Panamera Active Ride Suspension #shorts
00:14
This provides a better entry to the car 💡! 2025 Porsche Panamera Active Ride Suspension #shorts
Просмотров 1,5 млн
I legally defaced this website.
25:48
I legally defaced this website.
Просмотров 509 тыс.
Why is JWT popular?
5:14
Why is JWT popular?
Просмотров 295 тыс.
HACK, Backdoor, Defend, in MINUTES!
11:27
HACK, Backdoor, Defend, in MINUTES!
Просмотров 4,4 тыс.
Find hidden input using Param Miner BurpSuite Extension
13:20
Find hidden input using Param Miner BurpSuite Extension
Просмотров 29 тыс.
Hacked and Backdoored this website in MINUTES! NEVER try this on unauthorized targets!
20:58
Hacked and Backdoored this website in MINUTES! NEVER try this on unauthorized targets!
Просмотров 241 тыс.
JWT Authentication Bypass via Algorithm Confusion
12:24
JWT Authentication Bypass via Algorithm Confusion
Просмотров 5 тыс.
Watch me hack a Wordpress website..
28:52
Watch me hack a Wordpress website..
Просмотров 147 тыс.
Difference between cookies, session and tokens
11:53
Difference between cookies, session and tokens
Просмотров 604 тыс.
I Hacked & Exposed This Fake Website for Educational Purposes - CTF
11:26
I Hacked & Exposed This Fake Website for Educational Purposes - CTF
Просмотров 165 тыс.
Bug Bounty Explained! How Hackers Break Into Your Website Using Only JSON?! Protect Your Website!
12:20
Bug Bounty Explained! How Hackers Break Into Your Website Using Only JSON?! Protect Your Website!
Просмотров 34 тыс.
It seems Sonya's choice was obvious! 😅 #cat #cats
00:20
It seems Sonya's choice was obvious! 😅 #cat #cats
Просмотров 779 тыс.