How Hackers Hack JSON Web Tokens 

What does JSON stand for?

this is a very vulnerable backend that won't exist in real world

I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore

Nope if i wrote that backend. 1. Never put password in payload. 2. Password should be hash not encrypt 3. if the algorithm does not exist in header of JWT then it returns 401 Can still you beat that? Let me know

Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe

No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.

This is highly unlikely situation, but yeah a determined hacker and a foolish developer, anything is possible.

Video Suggestions: 1. Video About wireshark And wifite 2. Video on how to hack any pdf's password with "rockyou" wordlist 3. Make a video about anonymity with kali "whoami" 4. A video on how to dual boot Kali Linux 5. A video a on BYOB Botnet 6. Full tutorial about Burpsuite

You explain like a learner not a tutor and we understand as a master trainer ! Too good! From india

JWT are used for many years. Standard technology. If there was a flaw in this tech making it hackable would you first hear it on youtube? These are entertainment videos, if you fall for the style of this guy.

You don't put passwords (even hashed) in JWTs

ok, ignoring what others have already pointed about displaying the password in the token payload and using insecure algorithms... Why is the password even there? you just sent a jwt with the admin username and your password, so either the admin password is the same as yours -and an important step of this video is forging a token for the user you are trying to impersonate- or the backend just doesn't check anything at all and you could just sent an empty jwt with role admin and call it a day.

Thanks! I've been searching how to get it and this is brilliant :D

Sir awesome your explain....which year did you learn hacking course?

Usually the password is never contained in the jwt for security purposes....

Wow your the real Mr.Robot with full explanation. Thank you for the video.

This is basically "How Hackers Hack minecraft fanblog not updated since 2010 written by a teenager as a first website project". Plaese have some decency to provide information about how extremely insecure an api has to be for it to work. At least explain how JWTs work and how they are protected if you're "teaching".

Just make sure to use REDIS to validate the token.

MD5 can't be decrypted unless you have a dictionary, so this wouldn't work in real life if the owner of the system is not that predictable, but I always watch your videos because you explain so well everything. Keep up the great work!

This is a rather poor example of abusing JWT's, JWT's are never used raw like this, it's common practise to sign them with an algorithm + secret so that the API can verify it has not been tampered with.

Awesome tutorial Loi! As always thanks for sharing!

Site who dont check for jwt signature deserve to be hacked

Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.

you deserve to be a comedian 😆

This is if u try to hack a noob developer :D

Passwords never appears in JWT. Just ids or roles. And we verify the token with certs every request so its not a problem :P

I learned a lot from you Thank you my beautiful teacher loi I wish I could shake hands with you in real life ❤️❤️🌹

This is really unrealistic. No professional programmer worth their salt would ever right a backend like the one you hacked. Good programmers never store sensitive data in a cookie, they don't use outdated MD5, and they use private keys or other tokens to encrypt.

Loi Yang , I saw this video what if you change the role customer to admin ? Would it be more easy to bypass I guess ? Or I am wrong ?

I'm learning about JWT and you explained it better

Everyone, don't be too harsh on him, he's doing this for the general public. Not for programmers. Of course no serious site uses this sort of plain data without salt etc.

Nice video, but when I use the MD5 decoder it comes back as "Bad Format"... Doesn't work.

Great. I can prevent hacking by your video. Thank you.

Which is why no framework/library/website allows alg:none by default.

So this website does not verify the token and its signature before processing any requests, right? 😅

:3 Plenty of bounties rely on these API keys since API keys are barely looked at by most security people, and by most web developers, as plenty of successful ethical hackers explain they get paid a ton by these exploits. Many don't encrypt keys, leave them out in the wild, and then they're weak algorithms to begin. They're not encrypted, they're just hashed. So, you're just wrong on that.

this is a bad implementation of the standard. Especially the password and the algorithm which we must enforce on the backend and never take it if it is none...

what if there is only the user id stored in the token for eg i use that

Have you ever thought about doing digital forensics? so you know what forensic investigators look for to catch hackers and you can know how to evade that detection.

hold on a second, who made that JWT? how would anybody add password there! that's nonsense. More than hacking this is just bad software development example on that website creator 🤔

How to gunzip a compressed payload?

explain about how we can exploit a camera over network

He lost me when he said " change the token to admin " doing so invalidates the token. The server will reject the token !!

Password in jwt is nuts. Then why use jwt at all, might as well use basic auth. On top you have TLS,. You can't really steal the jwt, unless you make some extremely complicated XSS attack that probably won't work after all when you're lucky enough to ever get a script into the site. Even then, you can't steal it unless the developer put it somewhere where you can reach it, which you probably can't. To hack a site with even just the most default measures, you have to be very, very motivated to hack it. For the majority of sites it's just not worth the time, and for those that are worth it, this isn't going to work.

what foolish developer would even put their passwords in the JWT claim?

LMAO!! I was rolling with that "super secure password"

I tried and it is installed thank u very much anda

That backend is bonkers

Given up on members only? Either way, excellent vid! Any chance you could do a tutorial on c2?

Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?

Please make a video on captive portal setup on router🙏❤️

Thanks!

Wear on your thinking cap 🧢 this is for educational purposes only! Hacking without permission is illegal and ethical hacking is preformed under the supervision of law. You can get into big trouble then you go to jail 🤓🤓🤓

im junior web frontend, i use jwt in nextjs. but i create my backend(nestjs) app to set secret in jwt and never set password in the payload of jwt just set sub/id and ername/email. i think in the production people never set password in the payload and will set jwt secret. cmiiw

Does samsung knox protect the phone from hacking

what kind of backend does not verify jwt?

Jet Skis on Neptune

i think the only time the password will appear is if the developer set it as "1" in Controller....

haha there shouldn't be a password claim in the token

JWT_Tool automates the task but most of the websites have protection against the None algorithm attack

Are you kidding me mate? This is no way to hack jwts, this is just crappy, unsecured backend.

Terrible. Why not do tutorials on how to build secure systems? 1. You never, never, never put a password in a JWT, ever 2. Where's the OAuth and OpenID

Excellent video. I am now trying to hack my own API 😂😂. If we provide algorithm while decryption then we can avoid this attack

Thank you so much you really help me :)

Hey guys Let me know, where are you from? Comment below I'm from India 🇮🇳

Hello Can you help me my microsoft account got hacked and you seem as you can get it back i already contacted microsoft but they said they cant access it either because he changed the security Informations so please help me and if you cant do you know someone who can ?

I don’t understand why you would put a password in a jwt the server already has it. But if it did it would be salted and sha256. Md5 was like 15 years ago and even then it would still be salted.Also algo:None doesn’t work on real websites.

Why would the server respond as OK at 11:43 if the password in the json token for the admin account is possibly wrong?

backend devs are suposed to DO NOT send back the password.

Nice video, it works!

Please I need your help someone is trying to hack my website by creating multiple user account what can I do

We want discord There anyone have discord for learn hacker? Send to me

CAN YOU HELP MAKING VIDEO ON GETTING ACCESS TO SAVED PASSWORDS On ANDROID APPS OR PASSWORDS SAVED IN BROWSERS.

how do you get past the secret

💜💜sir plz your hacking lab setup please 💜💜

Make a video on Openbullet 2

I won't answer that for you Loi

Lol is very vulnerable backend. Stores the password of the user in the JWT, it doesnt make any sense, cause this is the purpose of the JWT

Not a real JSON WEB TOKEN scenario, debunked in just one word, SALT

this is tutorial "how to make JWT inside your app authentication hackable"

Yes Bro nice work and nice video

well, thanks mr Loi

Hi sir! Please sir can you please help me. I've been scammed. I don't know what to do anymore. For the chance of taking my money back I ask for help of people i thought will help me but they just ask for money an they give my money back instead they got money from me. Please help me sir. I cant sleep anymore

can you beat Bjorka?

Hi Loi. Nice video - would you recommend sessions for API's that need more security ?

Now I know how to hack Jason's password. Didnt knw every was after him as well.

you are awesome

Which best to learn C or C++

Great vid for starters. But was engineered to be a successful hack experiment.. Relies on endpoint server allowing unencrypted tokens in bearer auth. port 3000.. so a node app? So what you used express-jwt & set the algorithm array to accept sha256 or no-encrypt? Sorry, but that's a bit silly. If someone did that on their server app, then they deserve to be hacked. Further... what kind of developer puts the encrypted password hash in the jwt token response; and further relies upon it for "current password" checking onChange request? Never trust anything from the client. That's rule #1. I mean... Again... this was engineered to be a successful hack experiment. It was a great entry level experiment don't get me wrong. I just ... i just don't know why i feel dirty after seeing this, so had to say something. Perhaps I know too much and I just need to go find my corner and sit in it, away from everyone else for a while....

how does one hack slmail?

Yeah, I'm using whitelist. Also the only thing I'm puting in my payload is user id which is in uuid, good luck finding the admin.

He's so good at what he does.

could u maybe try to figure out a prevention for this.....ya know before you post this code tutorial that a criminal may use to steal from to the public internets???

Hacker Loi this is great info. How do more of this kind

My Facebook account hacked not showing in Facebook help me to recover I don't have money plzz help

Hello Mr yang are you available to hire

Ah yea, the good ol' md5 hashed user password inside jwt claims. Classic

Hi i’m new here how can i get membership ?

Computer specs reveal plsss

Holy Moly.