@@SergeiKarimov both has happened a lot and may even still be happening. But this is a webgoat which is meant to demonstrate why it is not a good idea to forget about alg:none.
I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore
Nope if i wrote that backend. 1. Never put password in payload. 2. Password should be hash not encrypt 3. if the algorithm does not exist in header of JWT then it returns 401 Can still you beat that? Let me know
He also used md5 which was broken like 15 years ago. Even if you put password hash in JWT by mistake, if it was any decent hash like SHA256 he wouldn't be able to do anything
Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe
The original JWT did have a secret key (using the RS256 type). He intercepted and sent over a perfectly valid JWT after modifying it. The real problem is that the backend server accepted the "typ: None" JWT. When it should ONLY be allowing and validating "typ: RS256" JWTs. The backend server is poorly misconfigured.
You would be able to decode it, but not to forge it like this. Any normal web backend would check the signature of the JWT and notice that it is forged, and that's where this attack would stop.
Video Suggestions: 1. Video About wireshark And wifite 2. Video on how to hack any pdf's password with "rockyou" wordlist 3. Make a video about anonymity with kali "whoami" 4. A video on how to dual boot Kali Linux 5. A video a on BYOB Botnet 6. Full tutorial about Burpsuite
No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.
JWT are used for many years. Standard technology. If there was a flaw in this tech making it hackable would you first hear it on youtube? These are entertainment videos, if you fall for the style of this guy.
ok, ignoring what others have already pointed about displaying the password in the token payload and using insecure algorithms... Why is the password even there? you just sent a jwt with the admin username and your password, so either the admin password is the same as yours -and an important step of this video is forging a token for the user you are trying to impersonate- or the backend just doesn't check anything at all and you could just sent an empty jwt with role admin and call it a day.
Everyone, don't be too harsh on him, he's doing this for the general public. Not for programmers. Of course no serious site uses this sort of plain data without salt etc.
Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.
This is basically "How Hackers Hack minecraft fanblog not updated since 2010 written by a teenager as a first website project". Plaese have some decency to provide information about how extremely insecure an api has to be for it to work. At least explain how JWTs work and how they are protected if you're "teaching".
This is a rather poor example of abusing JWT's, JWT's are never used raw like this, it's common practise to sign them with an algorithm + secret so that the API can verify it has not been tampered with.
MD5 can't be decrypted unless you have a dictionary, so this wouldn't work in real life if the owner of the system is not that predictable, but I always watch your videos because you explain so well everything. Keep up the great work!
Ever heard of rainbow tables? Also there are all sorts of MD5 decryption programs. And shitty password security is one of the most frequent vulnerabilities hackers use. But nowadays no framework/website will use MD5 by default. Or allow alg:none in JWT.
@@IvanRandomDude you are confusing preimage resistance (which is still strong for md5) with collision resistance (which is the weak point of md5). While it is still not easy to reverse an md5 to the original value, you can find other values that will be hashed to the same encrypted sequence.
hold on a second, who made that JWT? how would anybody add password there! that's nonsense. More than hacking this is just bad software development example on that website creator 🤔
This is really unrealistic. No professional programmer worth their salt would ever right a backend like the one you hacked. Good programmers never store sensitive data in a cookie, they don't use outdated MD5, and they use private keys or other tokens to encrypt.
this is a bad implementation of the standard. Especially the password and the algorithm which we must enforce on the backend and never take it if it is none...
Password in jwt is nuts. Then why use jwt at all, might as well use basic auth. On top you have TLS,. You can't really steal the jwt, unless you make some extremely complicated XSS attack that probably won't work after all when you're lucky enough to ever get a script into the site. Even then, you can't steal it unless the developer put it somewhere where you can reach it, which you probably can't. To hack a site with even just the most default measures, you have to be very, very motivated to hack it. For the majority of sites it's just not worth the time, and for those that are worth it, this isn't going to work.
Exactly! jwt is used in place of a password. It's like a password in a sense but only valid for short period of time. so if you do manage to get a user's jwt. you have to use it within a short period of time ( usually less than 4 hours ) before it becomes invalid and prompting you to login with the real password. Taking into account the effort and time needed to steal a valid jwt. You have to use it immediately which will alert the user to a breach! furthermore there is nothing you can do to extend the expiration date. absolutely not worth the effort. I would rather try to steal the real password instead.
Have you ever thought about doing digital forensics? so you know what forensic investigators look for to catch hackers and you can know how to evade that detection.
@@SergeiKarimov I was talking about the phase of covering tracks... similar to how you would disable auditing, delete logs and then use cipher.exe to overwrite the deleted files to cover tracks.
But the server didn't though! Changing the type to None made the token valid again because it doesn't need a signature anymore. The server is intentionally misconfigured to accept None typed tokens.
@@hardcorecode they wouldn't intentionally. There was a few auth0 articles about notifying JWT library maintainers to check against this exploit back in 2020. Using "None" has an internal use case and it is valid according to spec.
Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?
Hello Can you help me my microsoft account got hacked and you seem as you can get it back i already contacted microsoft but they said they cant access it either because he changed the security Informations so please help me and if you cant do you know someone who can ?
Wear on your thinking cap 🧢 this is for educational purposes only! Hacking without permission is illegal and ethical hacking is preformed under the supervision of law. You can get into big trouble then you go to jail 🤓🤓🤓
I don’t understand why you would put a password in a jwt the server already has it. But if it did it would be salted and sha256. Md5 was like 15 years ago and even then it would still be salted.Also algo:None doesn’t work on real websites.
Hi sir! Please sir can you please help me. I've been scammed. I don't know what to do anymore. For the chance of taking my money back I ask for help of people i thought will help me but they just ask for money an they give my money back instead they got money from me. Please help me sir. I cant sleep anymore
Great vid for starters. But was engineered to be a successful hack experiment.. Relies on endpoint server allowing unencrypted tokens in bearer auth. port 3000.. so a node app? So what you used express-jwt & set the algorithm array to accept sha256 or no-encrypt? Sorry, but that's a bit silly. If someone did that on their server app, then they deserve to be hacked. Further... what kind of developer puts the encrypted password hash in the jwt token response; and further relies upon it for "current password" checking onChange request? Never trust anything from the client. That's rule #1. I mean... Again... this was engineered to be a successful hack experiment. It was a great entry level experiment don't get me wrong. I just ... i just don't know why i feel dirty after seeing this, so had to say something. Perhaps I know too much and I just need to go find my corner and sit in it, away from everyone else for a while....
Nope, its not you. I learned about JWT like three months ago for the first time in my life. Even I was like "whoa" the moment he decrypted the token and it had the password in it. I dont know anyone that would do that.
Terrible. Why not do tutorials on how to build secure systems? 1. You never, never, never put a password in a JWT, ever 2. Where's the OAuth and OpenID
could u maybe try to figure out a prevention for this.....ya know before you post this code tutorial that a criminal may use to steal from to the public internets???
1) Don't put the password, or anything intended to be secret, in the JWT 2) On the backend, make sure the specified algorithm is the one you expect (and definitely not none), and that the signature is correct (which an attacker can't forge after modifying data unless they know the key, which should be a secret)
im junior web frontend, i use jwt in nextjs. but i create my backend(nestjs) app to set secret in jwt and never set password in the payload of jwt just set sub/id and ername/email. i think in the production people never set password in the payload and will set jwt secret. cmiiw
What does JSON stand for?
Btw nice videos keep it up
JavaScript Object Notation❤️
Java's Son on Nite
Jesus Christ… that’s JSON Bourne!!
JavaScript Object Notation
this is a very vulnerable backend that won't exist in real world
Thanks for the tip, i immediately stopped watching the video after reading your comment.
Details needed if want you to oppose a video , otherwise it's just your word against his with no proof , In short no one will care
@@RichardPhillips1066 alg:none is not accepted by any real world website. Also storing password in JWT as MD5 hash is even more stupid
Yes this site is intentionally vulnerable as a learning tool, but you'd be surprised what fuckery people do when they're lazy
@@SergeiKarimov both has happened a lot and may even still be happening. But this is a webgoat which is meant to demonstrate why it is not a good idea to forget about alg:none.
I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore
Nope if i wrote that backend.
1. Never put password in payload.
2. Password should be hash not encrypt
3. if the algorithm does not exist in header of JWT then it returns 401
Can still you beat that?
Let me know
He also used md5 which was broken like 15 years ago. Even if you put password hash in JWT by mistake, if it was any decent hash like SHA256 he wouldn't be able to do anything
@@IvanRandomDude anyway, what kind JWT sistem does't verify incoming JWT, right?😂
@@IvanRandomDude looks like the video is just for entertainment
yep, true.. always remember, never put password in JWT payload.. even if u already bcrypt the password, still, don't ever put it inside JWT payload..
Noone can, just targeting high rank keywords for hackers dumbs for views
Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe
The original JWT did have a secret key (using the RS256 type). He intercepted and sent over a perfectly valid JWT after modifying it. The real problem is that the backend server accepted the "typ: None" JWT. When it should ONLY be allowing and validating "typ: RS256" JWTs. The backend server is poorly misconfigured.
You would be able to decode it, but not to forge it like this. Any normal web backend would check the signature of the JWT and notice that it is forged, and that's where this attack would stop.
Exactly. only the jwt token without passwords and email. should appear on the payload. 👏👏👏
exactly
@@pixelotetm and id should be a guid, not the number
Video Suggestions:
1. Video About wireshark And wifite
2. Video on how to hack any pdf's password with "rockyou" wordlist
3. Make a video about anonymity with kali "whoami"
4. A video on how to dual boot Kali Linux
5. A video a on BYOB Botnet
6. Full tutorial about Burpsuite
You explain like a learner not a tutor and we understand as a master trainer ! Too good! From india
No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.
This is highly unlikely situation, but yeah a determined hacker and a foolish developer, anything is possible.
Wow your the real Mr.Robot with full explanation. Thank you for the video.
JWT are used for many years. Standard technology. If there was a flaw in this tech making it hackable would you first hear it on youtube? These are entertainment videos, if you fall for the style of this guy.
ok, ignoring what others have already pointed about displaying the password in the token payload and using insecure algorithms... Why is the password even there? you just sent a jwt with the admin username and your password, so either the admin password is the same as yours -and an important step of this video is forging a token for the user you are trying to impersonate- or the backend just doesn't check anything at all and you could just sent an empty jwt with role admin and call it a day.
Thanks! I've been searching how to get it and this is brilliant :D
Everyone, don't be too harsh on him, he's doing this for the general public. Not for programmers. Of course no serious site uses this sort of plain data without salt etc.
Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.
This is basically "How Hackers Hack minecraft fanblog not updated since 2010 written by a teenager as a first website project". Plaese have some decency to provide information about how extremely insecure an api has to be for it to work. At least explain how JWTs work and how they are protected if you're "teaching".
This is a rather poor example of abusing JWT's, JWT's are never used raw like this, it's common practise to sign them with an algorithm + secret so that the API can verify it has not been tampered with.
MD5 can't be decrypted unless you have a dictionary, so this wouldn't work in real life if the owner of the system is not that predictable, but I always watch your videos because you explain so well everything. Keep up the great work!
Ever heard of rainbow tables? Also there are all sorts of MD5 decryption programs. And shitty password security is one of the most frequent vulnerabilities hackers use. But nowadays no framework/website will use MD5 by default. Or allow alg:none in JWT.
LinkedIn got hacked in the past due to md5 hashing their passwords. I suggest not to do it ;)
@@kimgysen10 wait, seriously? they really used md5?
@@Andreas-gh6is Yes, but at the same time if you salt your hash, the attacker may never crack it
how about bcrypt? is it better than md5?
Sir awesome your explain....which year did you learn hacking course?
You don't put passwords (even hashed) in JWTs
You check if the hashed passwords match and then you never use the password again. You use JWTs and you refresh them.
On top of that he used md5 hash that was broken like 15 years ago and it's easy to reverse.
@@IvanRandomDude you are confusing preimage resistance (which is still strong for md5) with collision resistance (which is the weak point of md5). While it is still not easy to reverse an md5 to the original value, you can find other values that will be hashed to the same encrypted sequence.
I'm learning about JWT and you explained it better
anyone who doesn't know how JWT works will say he's the best.
that's tutorial for entertainment purposes only 🤣
He explained how not to use them.
Awesome tutorial Loi! As always thanks for sharing!
Great. I can prevent hacking by your video. Thank you.
He demonstrated the most basic alg:none exploit which you won't meet in a real world
you deserve to be a comedian 😆
he is not?
Usually the password is never contained in the jwt for security purposes....
The point of the video is not get the password in the jwt. Is forge it
This is if u try to hack a noob developer :D
LMAO!! I was rolling with that "super secure password"
hold on a second, who made that JWT? how would anybody add password there! that's nonsense. More than hacking this is just bad software development example on that website creator 🤔
Site who dont check for jwt signature deserve to be hacked
Thats tutorial only for entertainment purposes 🤣
Loi Yang , I saw this video what if you change the role customer to admin ? Would it be more easy to bypass I guess ? Or I am wrong ?
I tried and it is installed thank u very much anda
Excellent video. I am now trying to hack my own API 😂😂.
If we provide algorithm while decryption then we can avoid this attack
What
Yes, just check the token algorithm and verify its signature for any requests
Thanks!
I learned a lot from you
Thank you my beautiful teacher loi
I wish I could shake hands with you in real life ❤️❤️🌹
Passwords never appears in JWT. Just ids or roles. And we verify the token with certs every request so its not a problem :P
This is really unrealistic. No professional programmer worth their salt would ever right a backend like the one you hacked. Good programmers never store sensitive data in a cookie, they don't use outdated MD5, and they use private keys or other tokens to encrypt.
this is a bad implementation of the standard. Especially the password and the algorithm which we must enforce on the backend and never take it if it is none...
Password in jwt is nuts. Then why use jwt at all, might as well use basic auth. On top you have TLS,. You can't really steal the jwt, unless you make some extremely complicated XSS attack that probably won't work after all when you're lucky enough to ever get a script into the site. Even then, you can't steal it unless the developer put it somewhere where you can reach it, which you probably can't. To hack a site with even just the most default measures, you have to be very, very motivated to hack it. For the majority of sites it's just not worth the time, and for those that are worth it, this isn't going to work.
Exactly! jwt is used in place of a password. It's like a password in a sense but only valid for short period of time. so if you do manage to get a user's jwt. you have to use it within a short period of time ( usually less than 4 hours ) before it becomes invalid and prompting you to login with the real password. Taking into account the effort and time needed to steal a valid jwt. You have to use it immediately which will alert the user to a breach! furthermore there is nothing you can do to extend the expiration date. absolutely not worth the effort. I would rather try to steal the real password instead.
That backend is bonkers
Just make sure to use REDIS to validate the token.
Nice video, but when I use the MD5 decoder it comes back as "Bad Format"... Doesn't work.
Nice video, it works!
Which is why no framework/library/website allows alg:none by default.
what foolish developer would even put their passwords in the JWT claim?
Have you ever thought about doing digital forensics? so you know what forensic investigators look for to catch hackers and you can know how to evade that detection.
he exploits very basic vulnerability alg:none which is virtually impossible to meet in a real world
@@SergeiKarimov I was talking about the phase of covering tracks... similar to how you would disable auditing, delete logs and then use cipher.exe to overwrite the deleted files to cover tracks.
Given up on members only? Either way, excellent vid! Any chance you could do a tutorial on c2?
wdym by tutorial on C2, its just command and control from server - client / client - server setup, idk what kind of tutorial you need in this 🤔
He lost me when he said " change the token to admin " doing so invalidates the token. The server will reject the token !!
But the server didn't though! Changing the type to None made the token valid again because it doesn't need a signature anymore. The server is intentionally misconfigured to accept None typed tokens.
@@Elte156 Oh... why would any developer accept an unsigned token?
@@hardcorecode they wouldn't intentionally. There was a few auth0 articles about notifying JWT library maintainers to check against this exploit back in 2020. Using "None" has an internal use case and it is valid according to spec.
@@Elte156 Wow... I didn't know... thanks.
How to gunzip a compressed payload?
Thank you so much you really help me :)
explain about how we can exploit a camera over network
The password is in the claims of the jwt?!? No one does that. And if they do they should not have
OP ❤️
Yes Bro nice work and nice video
well, thanks mr Loi
Does samsung knox protect the phone from hacking
what if there is only the user id stored in the token for eg i use that
i think the only time the password will appear is if the developer set it as "1" in Controller....
Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?
what kind of backend does not verify jwt?
Hello
Can you help me my microsoft account got hacked and you seem as you can get it back i already contacted microsoft but they said they cant access it either because he changed the security Informations so please help me and if you cant do you know someone who can ?
backend devs are suposed to DO NOT send back the password.
Please make a video on captive portal setup on router🙏❤️
Wear on your thinking cap 🧢 this is for educational purposes only! Hacking without permission is illegal and ethical hacking is preformed under the supervision of law. You can get into big trouble then you go to jail 🤓🤓🤓
you are awesome
I don’t understand why you would put a password in a jwt the server already has it. But if it did it would be salted and sha256. Md5 was like 15 years ago and even then it would still be salted.Also algo:None doesn’t work on real websites.
haha
there shouldn't be a password claim in the token
JWT_Tool automates the task but most of the websites have protection against the None algorithm attack
Hi Loi. Nice video - would you recommend sessions for API's that need more security ?
Hi sir! Please sir can you please help me. I've been scammed. I don't know what to do anymore. For the chance of taking my money back I ask for help of people i thought will help me but they just ask for money an they give my money back instead they got money from me. Please help me sir. I cant sleep anymore
Jet Skis on Neptune
Great vid for starters. But was engineered to be a successful hack experiment..
Relies on endpoint server allowing unencrypted tokens in bearer auth. port 3000.. so a node app? So what you used express-jwt & set the algorithm array to accept sha256 or no-encrypt?
Sorry, but that's a bit silly. If someone did that on their server app, then they deserve to be hacked.
Further... what kind of developer puts the encrypted password hash in the jwt token response; and further relies upon it for "current password" checking onChange request?
Never trust anything from the client. That's rule #1. I mean...
Again... this was engineered to be a successful hack experiment.
It was a great entry level experiment don't get me wrong.
I just ... i just don't know why i feel dirty after seeing this, so had to say something.
Perhaps I know too much and I just need to go find my corner and sit in it, away from everyone else for a while....
Nope, its not you. I learned about JWT like three months ago for the first time in my life. Even I was like "whoa" the moment he decrypted the token and it had the password in it. I dont know anyone that would do that.
He's so good at what he does.
Lol is very vulnerable backend. Stores the password of the user in the JWT, it doesnt make any sense, cause this is the purpose of the JWT
how do you get past the secret
Are you kidding me mate? This is no way to hack jwts, this is just crappy, unsecured backend.
Terrible.
Why not do tutorials on how to build secure systems?
1. You never, never, never put a password in a JWT, ever
2. Where's the OAuth and OpenID
Please I need your help someone is trying to hack my website by creating multiple user account what can I do
Now I know how to hack Jason's password. Didnt knw every was after him as well.
💜💜sir plz your hacking lab setup please 💜💜
CAN YOU HELP MAKING VIDEO ON GETTING ACCESS TO SAVED PASSWORDS On ANDROID APPS OR PASSWORDS SAVED IN BROWSERS.
this is tutorial "how to make JWT inside your app authentication hackable"
Which best to learn C or C++
c++
Why c++ is better than C
Make a video on Openbullet 2
could u maybe try to figure out a prevention for this.....ya know before you post this code tutorial that a criminal may use to steal from to the public internets???
1) Don't put the password, or anything intended to be secret, in the JWT
2) On the backend, make sure the specified algorithm is the one you expect (and definitely not none), and that the signature is correct (which an attacker can't forge after modifying data unless they know the key, which should be a secret)
It worked. Thanks a lot
it worked?? where??
Holy Moly.
Should I learn c programming or just html?
Thanks
Hey guys Let me know, where are you from?
Comment below
I'm from India 🇮🇳
hey man I am from africa and I dont have the money to be an exclusive member so i was just asking if you could give me a pass to your membership
Hello Mr yang are you available to hire
Hi Chriss, chat my telegram ☝️
Yeah, I'm using whitelist.
Also the only thing I'm puting in my payload is user id which is in uuid, good luck finding the admin.
Why would the server respond as OK at 11:43 if the password in the json token for the admin account is possibly wrong?
well you're right, but fun fact the admin password is 12345678 too.
Why??
On the first top ten people to comment
I won't answer that for you Loi
Hi i’m new here how can i get membership ?
Ultimate
how does one hack slmail?
im junior web frontend, i use jwt in nextjs. but i create my backend(nestjs) app to set secret in jwt and never set password in the payload of jwt just set sub/id and ername/email. i think in the production people never set password in the payload and will set jwt secret. cmiiw
Computer specs reveal plsss