Don't like this style? Click here to change it! blue.css

LOGIN:
Welcome .... Click here to logout

JSON Web Tokens (JWT)

JWTs were the evolved replacement for PHP SESSIONS. It makes sense that we would need something else, and it's a little more cloud friendly when you start to think about it.

At this point we have 2 ways to handle RBAC, using session data in PHP and writing a gatekeeper function of some sort, and firebase security rules. Let's look at another popular candidate particularly for a slew of cloud architectures.

Here's what happens:

Here's what is in a JWT:

Diving in

Head to https://jwt.io/ and click "debugger". In a different tab fireup CyberChef. Grab the first part of the JWT and drop it into the top right window. Click decode base64 (ATTENTION: it uses URL safe alphabet not standard). Note the exact bytes that were encoded. Repeat for part 2.

Little Crypto: Now the hard one. Take the first two parts of the JWT (include the first dot but not the second). Make your recipe HMAC then from Hex then to Base64. Use the key from jwt.io (your-256-bit-secret in Latin1) then change the alphabet in the to Base64 recipe to URL safe. Validate that the output matches the signature (the 3rd part of the JWT).

Now change one character in the payload, say "John Foe" recreate the signature.

OK now you kinda get the crypto part. There is a digital signature using a shared secret key (other algos are possible) BUT NOT ENCRYPTION.

Setting up a JWT express stack

Head to glitch.com and setup an express app. Add the library: jsonwebtoken and make the server.js file match the following gist, check the logs and use jwt.io to read the payload.

Let's chat pros and cons at this point.

OK make a /views/secret.html file and replace server.js with my code. Now visit your URL / and get the token. Then open up postman and make a GET request to /secret (it will be forbidden). Add a header "Authorization" with value "Bearer tokenpastedhere" with your actual token there instead of "tokenpastedhere". Hopefully you get through.

Hacking JWTs and Let's talk about everything

I've been wanting to give you a giant list of every exploit you should have some familiarity with for being a top web exploit hunter.

(Actually I think to get into it you should pick 1 and master it then hunt for it everywhere!)

I found this wonderful database of exploits and things:

Let's chat THE BEST WEBSEC REPO EVER out.

Inside that repo there is this JWT guide: https://github.com/ticarpi/jwt_tool/wiki

rockyou.txt

You can download a version of rockyou.txt from websec.prof.ninja/rockyou.txt

It's just a giant list of leaked passwords

Daily Flags

Level 1:

https://heliotrope-auspicious-sparrow.glitch.me/

Level 2:

https://west-tinted-ferret.glitch.me/