JWT authentication bypass via 'X-HTTP-Method-Override' Header

Поделиться
HTML-код
  • Опубликовано: 11 сен 2024
  • ESPv2 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases.
    Reference: github.com/Goo...
    .
    .
    .
    .
    .
    Like and Subscribe :)
    Social media:
    Twitter: / medusa_0xf
    Blog:
    / medusa0xf
    #api #bugbounty #twitter #vulnerability #postman ostman #pentesting #api #hack #bola #tryhackme #hackerone #apihacking #computerscience #javascript #python #postman #ctf #bughunting #pentesting #hacking #hackingtools #burpsuite #portswigger #ethicalhacking #OAuth #webhacking #programming #websecurity #technology #practical #artificialintelligence #web #recon #bypass
  • НаукаНаука

Комментарии • 13

  • @docmalitt
    @docmalitt Год назад

    First time I hear about this header (well, that's not hard, of course) and even it sounds ... hackerish. Great vid and thank you for making them.... I would still venture imho that watching is much easier that creating them.

  • @MichaelCooter
    @MichaelCooter Год назад

    Fantastic tutorial! I’ve never thought about this via that header. Thank you . Are you on any other social media like twitter also ?

    • @Medusa0xf
      @Medusa0xf  Год назад

      Check out the description

  • @nishantdalvi9470
    @nishantdalvi9470 5 месяцев назад

    Enjoyed learning something new : )

    • @Medusa0xf
      @Medusa0xf  4 месяца назад +1

      Glad to hear it!

  • @Myg-sl6ln
    @Myg-sl6ln 4 месяца назад +1

    Your video are great 🔥
    Can you make an video on how to bypass cloudflare protection

  • @bughunter9766
    @bughunter9766 Год назад

    🎉Great video,

  • @aechapark4299
    @aechapark4299 Год назад

    I got a problem for the postman got an error when i type this command sudo docker-compose -f etc

  • @badhacker0x1
    @badhacker0x1 Год назад +1

    Im in love with you

  • @nareshrapthadu8262
    @nareshrapthadu8262 Год назад

    Please make video on API Recon steps to get api subdomains and end points to test

  • @Rxqqq
    @Rxqqq Год назад

    First comment 👋

  • @The_Ethical_TN
    @The_Ethical_TN Год назад

    Hello Medusa ❤ any idea to bypass API code 400 /414

Следующие
Автовоспроизведение
Bypass JWT Authentication By Bruteforcing Secret Key | PortSwigger |6:54Bypass JWT Authentication By Bruteforcing Secret Key | PortSwigger |
Bypass JWT Authentication By Bruteforcing Secret Key | PortSwigger |Medusa
Просмотров 1,4 тыс.
Bypassing GraphQL Brute-Force Protections11:58Bypassing GraphQL Brute-Force Protections
Bypassing GraphQL Brute-Force ProtectionsMedusa
Просмотров 438
HTML Injection | Bug Bounty POC0:59HTML Injection | Bug Bounty POC
HTML Injection | Bug Bounty POCJiiva hacks
Просмотров 301
I’m OFFICIALLY A Homeowner | Building My Dream Home, Ups & Downs, The Process, Closing Day and MORE45:24I’m OFFICIALLY A Homeowner | Building My Dream Home, Ups & Downs, The Process, Closing Day and MORE
I’m OFFICIALLY A Homeowner | Building My Dream Home, Ups & Downs, The Process, Closing Day and MOREDe'arra Taylor
Просмотров 335 тыс.
THE WEEKND - SÃO PAULO LIVESTREAM1:33:29THE WEEKND - SÃO PAULO LIVESTREAM
THE WEEKND - SÃO PAULO LIVESTREAMThe Weeknd
4 дня назад
Reaction to Cowboys-Browns, Raiders-Chargers, Broncos-Seahawks, Tom Brady on FOX | Colin Cowherd NFL59:19Reaction to Cowboys-Browns, Raiders-Chargers, Broncos-Seahawks, Tom Brady on FOX | Colin Cowherd NFL
Reaction to Cowboys-Browns, Raiders-Chargers, Broncos-Seahawks, Tom Brady on FOX | Colin Cowherd NFLThe Colin Cowherd Podcast
Просмотров 384 тыс.
49ers dominate Jets, Should the Browns have stayed with Baker Mayfield? | NFL | THE HERD15:1149ers dominate Jets, Should the Browns have stayed with Baker Mayfield? | NFL | THE HERD
49ers dominate Jets, Should the Browns have stayed with Baker Mayfield? | NFL | THE HERDThe Herd with Colin Cowherd
Просмотров 312 тыс.
How Hackers Exploit API Endpoints Using Documentation?7:13How Hackers Exploit API Endpoints Using Documentation?
How Hackers Exploit API Endpoints Using Documentation?Medusa
Просмотров 5 тыс.
How To Exploit SSRF To Fetch AWS Credentials9:07How To Exploit SSRF To Fetch AWS Credentials
How To Exploit SSRF To Fetch AWS CredentialsMedusa
Просмотров 1,3 тыс.
Exploring Server-Side Parameter Pollution: Real Case Scenario, Parameter Precedence, and More!15:17Exploring Server-Side Parameter Pollution: Real Case Scenario, Parameter Precedence, and More!
Exploring Server-Side Parameter Pollution: Real Case Scenario, Parameter Precedence, and More!Medusa
Просмотров 623
How Can Fuzzing Help You Find Hidden API Endpoints?9:18How Can Fuzzing Help You Find Hidden API Endpoints?
How Can Fuzzing Help You Find Hidden API Endpoints?Medusa
Просмотров 5 тыс.
How BOLA in API Endpoint can lead to Account Takeover | Postman | API Security4:38How BOLA in API Endpoint can lead to Account Takeover | Postman | API Security
How BOLA in API Endpoint can lead to Account Takeover | Postman | API SecurityMedusa
Просмотров 930
Finding a Hidden GraphQL Endpoint9:02Finding a Hidden GraphQL Endpoint
Finding a Hidden GraphQL EndpointMedusa
Просмотров 607
0.0.0.0 Browser Vulnerability Exploit | Proof of Concept (POC) Made by ME6:540.0.0.0 Browser Vulnerability Exploit | Proof of Concept (POC) Made by ME
0.0.0.0 Browser Vulnerability Exploit | Proof of Concept (POC) Made by MEDevSec Hacker
Просмотров 140
LLM API Hacking | Indirect Prompt Injection in LLM APIs | PART 410:10LLM API Hacking | Indirect Prompt Injection in LLM APIs | PART 4
LLM API Hacking | Indirect Prompt Injection in LLM APIs | PART 4Medusa
Просмотров 568
How to Discover API Subdomains? | Subdomain Enumeration | API Hacking5:26How to Discover API Subdomains? | Subdomain Enumeration | API Hacking
How to Discover API Subdomains? | Subdomain Enumeration | API HackingMedusa
Просмотров 1,1 тыс.
КРАШ ТЕСТ REALME C6100:43КРАШ ТЕСТ REALME C61
КРАШ ТЕСТ REALME C61Milo Slava
Просмотров 15 тыс.
Нашли телефон спустя 5 лет00:25Нашли телефон спустя 5 лет
Нашли телефон спустя 5 летUp Your Brains
Просмотров 4,5 млн
😱 iphone 15 pro vs iphone 14 pro max speed test 😨00:14😱 iphone 15 pro vs iphone 14 pro max speed test 😨
😱 iphone 15 pro vs iphone 14 pro max speed test 😨Tech_Compareing
Просмотров 9 млн
Mac USB00:59Mac USB
Mac USBAlina Saito / 斎藤アリーナ
Просмотров 2,6 млн
Lithium cell can get burn01:01Lithium cell can get burn
Lithium cell can get burnWhat is inside
Просмотров 7 млн
Google Pixel 8 Pro на 128 gb! Илии.... #shorts #shortvideo00:20Google Pixel 8 Pro на 128 gb! Илии.... #shorts #shortvideo
Google Pixel 8 Pro на 128 gb! Илии.... #shorts #shortvideoUNIT | ЮНИТ | IPHONE 15
Просмотров 1,1 млн
Что за спешка, AMD? Всё о Ryzen 9000 | Zen 5 с запасом19:04Что за спешка, AMD? Всё о Ryzen 9000 | Zen 5 с запасом
Что за спешка, AMD? Всё о Ryzen 9000 | Zen 5 с запасомМой Компьютер
Просмотров 94 тыс.
Лучший Бюджетный Смартфон за 15600? 70 Ватт Быстрая Зарядка, Стерео, Амолед Экран. Tecno Camon 3020:33Лучший Бюджетный Смартфон за 15600? 70 Ватт Быстрая Зарядка, Стерео, Амолед Экран. Tecno Camon 30
Лучший Бюджетный Смартфон за 15600? 70 Ватт Быстрая Зарядка, Стерео, Амолед Экран. Tecno Camon 30РасПаковка ДваПаковка
Просмотров 26 тыс.