JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF

Поделиться
HTML-код
  • Опубликовано: 4 ноя 2024

Комментарии • 87

  • @alexlefevre8226
    @alexlefevre8226 3 года назад +14

    Every time, every video, I learn... I learn a TON. I earned my CS degree in 2012, which is for all intents and purposes, one complete stage of evolution of the field. I missed streamlined AI/ML, as they were all electives that required department approval. I also missed in depth server side scripting such as JSON, but we DID do a lot of PHP and our main focus coding wise was C++.
    We learned nothing pertaining to pentesting or security measure beyond solutions offered in a basic web portal when one purchased hosting.
    We did an oddly large amount of assembly, as well.
    I've learned more about security, malware, and generally understanding what you present here than a 4 year degree. You are awesome and have a forever subscriber.

    • @Joettyy
      @Joettyy 2 года назад

      hows it going now?

  • @user-oz5hi1px7e
    @user-oz5hi1px7e 3 года назад +19

    I love it when u do the "WHY?"

  • @Dygear
    @Dygear 3 года назад +3

    Actually super helpful to me. I have to use JWTs and I didn't understand them at all. This helped so much and allows me to avoid a pitfall of them as well.

  • @joeymelo2882
    @joeymelo2882 3 года назад +23

    John: “Man, I’m falling apart”
    Everyone: We’ve all been there John. We’ve all been there.
    Thanks for the video:D

  • @kyand920
    @kyand920 3 года назад +13

    This for some reasons gave me a pico ctf challenge flashback that john did, it involved JWT

  • @cheezedoodles3447
    @cheezedoodles3447 3 года назад +4

    I enjoy these ctf videos so much! Thanks for the content John, keep these daily uploads!

  • @jocsamisrraine
    @jocsamisrraine 11 месяцев назад

    Good one, still watching from Brazil in 2023

  • @kylefaust7743
    @kylefaust7743 3 года назад +1

    I have been studying networking for the last month and I still have Zero clue what he does with these videos but I am DETERMINDED to figure it out so I can not only follow him on videos but also Solve these problems myself!!! Thanks for the video! loved your cast on HTB battelgrounds and here's hoping for more!

    • @charlesejiegbu5372
      @charlesejiegbu5372 Год назад

      Hey, it’s been a year since you made this vow, how’s it been going since then? Have you made some progress in your learning thus far?

  • @villager8358
    @villager8358 3 года назад +3

    its GREAT that you upload daily!

  • @gokoo123
    @gokoo123 2 года назад +4

    @18:31 you killed gunicorn again after killing it near minute 18, but you didn't kill nginx either time :D

  • @tehvvisard
    @tehvvisard 3 года назад +4

    Depending on how the check is setup on the server side you might just have been able to create a new token with username: admin. Not all apis check the signed part only that the jku matches

  • @Sarveshpanditrao
    @Sarveshpanditrao 3 года назад +18

    Setup tour

    • @aumbhatt5339
      @aumbhatt5339 3 года назад +1

      He already did one 6 months ago...

  • @MaZe741
    @MaZe741 3 года назад +7

    whats the main takeaway? how come the jku location can be changed to anything? please talk about what the vulnerability was here - just human error?

    • @leduyminh48
      @leduyminh48 3 года назад

      because it is not supposed to be in the header for user to change, you cannot trust the header for that information. Instead, it should look up the jwks_uri through .well-known/config endpoint before using it for verifying signature

  • @xXReVo_LuTiOnXx
    @xXReVo_LuTiOnXx 3 года назад +8

    Why does Jwt allow this behaviour ?
    I mean there should be some strict content Policy like "JWT" can only be checked to a domain which it is used by or something, everything else is really stupid isn't it ?

    • @tartas1995
      @tartas1995 3 года назад +4

      If I understand you correctly, you are asking why the system is using a "random" source for verification. The answer is that it is kind of the point of the concept JWT. the service that is using JWT would host the "key" itself, the service could be using the good old session ids. The point of JWT is to have authentification and service seperated. The domain with the service trusts the authentification service and simply checks if the token is valid using the public key from the authentification service and the signature from the token. In this case, the service was coded to use the "jku" in the token which makes sense if you have multiple trusted authentification services (think authentification via google, facebook, ...). But the service failed to check if it trusts the jku in the first place. (My understanding could be wrong or incomplete)

    • @arpee1337
      @arpee1337 3 года назад

      That's pretty much it. This can actually be seen as a "feature" but the server blindly trusted whatever was there

    • @MaZe741
      @MaZe741 3 года назад

      I dont understand how the JKU can be changed to anything so easily, whats the vulnerability?

    • @lukegaskell8214
      @lukegaskell8214 3 года назад

      The problem is that typically that well known endpoint is just set on the server side (therefore would always verify against the correct keys).
      This vulnerability was allowing the user to not only provide the jwt… but also how to verify the jwt (well known endpoint in the token)

  • @DizzySpark
    @DizzySpark 3 года назад +5

    Weird question... was the "rogin" screen sanitized?

  • @TheOcta5
    @TheOcta5 3 года назад

    I hope in the future to solve things like you do, great job John!

  • @pengrey
    @pengrey 3 года назад +5

    John this one was a bit confusing to follow, maybe next time some more slow pace. But loving this series keep on o/

  • @dedkeny
    @dedkeny 3 года назад +4

    Python4... I just stared into the eyes of the future!

    • @Reelix
      @Reelix 3 года назад +1

      By the time python4 rolls around, maybe people will have stopped using python2 - Maybe :p

    • @Yetzederixx
      @Yetzederixx 3 года назад

      probably not lol

  • @matteoleone5705
    @matteoleone5705 3 года назад

    I really liked the première! I think this will be really useful in many occasions. Thanks John!

  • @serg472
    @serg472 3 года назад +3

    I don't get it, what was the vulnerability? This type of authentication surely isn't supposed to fall apart essentially from just setting "user=admin" inside a cookie.

    • @lukegaskell8214
      @lukegaskell8214 3 года назад

      The vulnerability is that it was allowing the token to dictate how it verified the signature….
      Basically… tell me who you are and tell me how to verify that.
      I should know how to verify without you telling me.

  • @Maik.iptoux
    @Maik.iptoux 3 года назад

    Minute 15: alg, alg, alg!!! Something you don't see the things in front of your eyes 👀😂

  • @karolmilewczyk8338
    @karolmilewczyk8338 2 года назад +1

    Edit the audio out when typing your passwords. People can interpolate the keystrokes from their frequency.

  • @hanpoyang
    @hanpoyang 3 года назад

    Why it contains the pk file path? is it so rediculous? i've been confused. :-), It is realy a excellent presentation.

  • @chippyswoodworking1765
    @chippyswoodworking1765 3 года назад

    Great video. I learn a lot from your channel.

  • @lokithedark1
    @lokithedark1 3 года назад +2

    lol I saw python4 was like darn whyd I spend so long getting the hang of 3

  • @zombie9503
    @zombie9503 3 года назад

    Great video as always! , much love man

  • @TJCREATIVETECH
    @TJCREATIVETECH 3 года назад

    Bye John👋👋Good Night!!

  • @zihasz5305
    @zihasz5305 3 года назад +1

    you should install a json viewer extension for chrome :)

  • @eternalskywalker9440
    @eternalskywalker9440 Год назад

    I find it hard to believe that you would find a live app that would accept a key from an arbitrary domain. Vetting the signer should be a basic task.

  • @stanislavsmetanin1307
    @stanislavsmetanin1307 3 года назад

    Bravo maestro 👏👏👏👍

  • @harshkashyap8045
    @harshkashyap8045 3 года назад

    Good luck 👍

  • @itstoxicqt
    @itstoxicqt 3 года назад

    Damn should of watched this earlier would of helped tons in the hactivitycon warm up stuff today lol

  • @hyperblackhole2105
    @hyperblackhole2105 5 месяцев назад

    can we still do this without the public facing website?

  • @patrickconrad2874
    @patrickconrad2874 2 года назад

    what problems could this cause from a dev stand point? How can I prevent this? Thanks for the content.

    • @eternalskywalker9440
      @eternalskywalker9440 Год назад

      Vett the signing key. Know where it comes from.
      This is a dumb exploit to be vulnerable to-very basic.

  • @BearkFearGamer
    @BearkFearGamer 3 года назад

    Amazing man, you're are expert!

  • @xpau2
    @xpau2 2 года назад

    2:27 your chrome is outdated. lmao 😂
    you are missing some important security updates !!
    I know that issue..

  • @challengercybersec2155
    @challengercybersec2155 2 года назад

    Ed Sheeran is amazing at infosec stuff.

  • @ca7986
    @ca7986 3 года назад

    ❤️

  • @TJCREATIVETECH
    @TJCREATIVETECH 3 года назад

    Super

  • @Johnny-tw5pr
    @Johnny-tw5pr 3 года назад

    How do I find these machines on HTB?

  • @silinders
    @silinders 3 года назад +7

    What a browser extentsion you using?

    • @mithushanjalangan5132
      @mithushanjalangan5132 3 года назад

      Was going to comments the same! Want to know as well!

    • @a.k_theportal3085
      @a.k_theportal3085 3 года назад +2

      Cookie editing one? It's called EditThisCookie

    • @jakecrowley6
      @jakecrowley6 3 года назад

      You can also edit cookies directly in Chrome without any extensions by going to Dev Tools (ctrl+shift+I) -> application tab -> cookies

  • @flaviuscondurache2688
    @flaviuscondurache2688 3 года назад +7

    Was I the only one who was screaming: use ngrok?

    • @grandmakisses9973
      @grandmakisses9973 3 года назад

      I was thinking it

    • @HAGSLAB
      @HAGSLAB 3 года назад +1

      Was thinking the same 😂 John has used ngrok multiple times before, so not sure why he opted to use his prod server this time 😆 I may have done the same thing though 😝

  • @villager8358
    @villager8358 3 года назад

    I just wonder: how old are you John ?

  • @NeXXyD
    @NeXXyD 3 года назад +2

    TOOD

  • @ventsislavkirkov
    @ventsislavkirkov 3 года назад +1

    I like listening to Seth Rogen hacking :)

  • @claudiafischering901
    @claudiafischering901 3 года назад +1

    JWT is really not secure enough for me. When John breaks so fast into - I never want to use JWT. So I still use php-session - That is more secure ; I think. ^^ Thanks for the video.

    • @safwanljd
      @safwanljd 3 года назад +4

      JWT is secure when configured correctly

    • @mohdalif
      @mohdalif 3 года назад

      Do check out JWE for additional security of JWT. My advice is to go stateless, simple & easier to scale. Storing session on the server side I guess is fine for a nonscaling web app.

  • @EiRA-hiE-x
    @EiRA-hiE-x 3 года назад

    Damn, I feel like I should never use jwt again lol

  • @shunhasfaithfaith6693
    @shunhasfaithfaith6693 3 года назад

    do analysis of asyncRAT

  • @dominic_dl2114
    @dominic_dl2114 3 года назад

    We do not know how it Signet... alg: rs256 Well xD

  • @zeratax
    @zeratax 3 года назад

    this is so weird to me lmao. this jku field makes like no sense to me and seems sooo insecure i hate jwt. i guess it's like supposed to be used with a whitelist? but what's even the point?

  • @shivamgoyal796
    @shivamgoyal796 3 года назад +3

    Which plugin you use to check the jwt token ?

    • @aveon9888
      @aveon9888 3 года назад +2

      i think it is cookiemanager

    • @KGIV
      @KGIV 3 года назад

      @@aveon9888 That's the one.

  • @JuanBotes
    @JuanBotes 3 года назад

    :)

  • @JaraMoni-q6l
    @JaraMoni-q6l Месяц назад

    Lopez Deborah Brown Mary Clark Brian

  • @lifeisgameplayit
    @lifeisgameplayit 2 года назад

    Arent you doing a brain surgery just now by explaining how jwk works ? ;>