JWT Authentication Bypass via Unverified Signature

Опубликовано: 05 Июнь 2023
на канале: Intigriti

11,652

139

👩‍🎓👨‍🎓 Learn about JSON Web Token (JWT) vulnerabilities. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives. To solve the lab, we'll modify our session token to gain access to the admin panel, then delete the user carlos.

Overview:
0:00 Intro
0:41 Exploiting flawed JWT signature verification
1:32 Accepting arbitrary signatures
1:52 Lab: JWT authentication bypass via unverified signature
3:51 Solution #1: python
5:07 Solution #2: burp suite
7:10 Solution #3: jwt_tool
9:07 Conclusion

If you're struggling with the concepts covered in this lab, please review the Introduction to JWT Attacks video first: • Introduction to JWT Attacks 🧠
For more information, check out https://portswigger.net/web-security/jwt

🔗 ‪@PortSwiggerTV‬ challenge: https://portswigger.net/web-security/...

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

🐍 Python scripts demonstrated in this series can be found here: https://github.com/Crypto-Cat/CTF/tre...