Hack JWT using JSON Web Tokens Attacker BurpSuite extensions
HTML-код
- Опубликовано: 21 авг 2024
- In this video, you will hack a vote feature by exploiting a JWT implementation weakness using two BurpSuite extensions: JSON Web Tokens and JSON Web Tokens Attacker (JOSEPH).
- Download your FREE Web hacking LAB: thehackerish.c...
- Read more on the blog: thehackerish.com
- Support this work: thehackerish.c...
- Facebook Page: / thehackerish
- Follow us on Twitter: / thehackerish
- Listen on Anchor: anchor.fm/theh... Listen on Spotify: open.spotify.c...
- Listen on Google Podcasts: podcasts.googl...
Idea for next video: Burp bounty Extension. All videos currently on youtube have no voice over. Please cover this extension in depth as you did for JWT tokens. Great job again!
Thanks for the suggestions!
You are explaining everything well. Thanks man.
Welcome! Enjoy!
Suite is pronounced as "sweet".
Thanks for the great content.
Very well explained
Quick one sir , how do I craft a new timestamp in the JWT payload. Gained a new Subscriber , thank you very much kindly do in depth tutorials on burp extensions .
run on the terminal: date +%s
Bro make video on burpbounty,burp collaborator everywhere and X-Forwarded-For extension. Awaiting for your video.
Thanks for your suggestion!
Please create more content!!
Can u upload all the vulnerability related JWT and garphQL
in this process we find upcoming period or number sir!!
You are the best one😘.
You are as well!
thanks
nice content
very nice
is all the token is base64 encode or it depends on the application?
You will always find the same structure. It doesn't depend on the application, it is a standard.
1) For the highlighted request with comment as "Contains a JWT", it shows token in Response and not in the Request. Why the request is not having JWT? Also the request which has token is not highlighted with Contains a JWT.
2) The JWT token comes after we login with correct UserID and Password. It does not show before we login into the page. Is this correct? Is this how it is supposed to be?
1- The extension detects whenever there is a JWT token either in the request or the response.
2- Yes, JWT tokens are usually used after authentication, in this case using a username and a password
Take ❤️❤️❤️❤️
I know am a little late but great video thank you very much well explained 🙏🤘
Never late, welcome!
♥️
one video cover the all (burp suite extensions), can you
That would result in a very loooong video which I cannot make unfortunately.
Bro make a video on WAF bypass extension plzzz
My laptop says “AuthSdkError: The JWT was issued in the future”..
Can you please help me?
set the iat field of the JWT to a correct timestamp I guess.
Nice. So what the secure way to implement JWT token.
Validate the signature. Use strong keys for HSxxx, prefer RSA, etc
@@thehackerish Thank you so much! But while hacking your removing the signature if use RSA also still you can hack using xss or csfr attacks right. I am having this issuein my website. I want your advise😀
@@Nirusvlogs JWT will protect against CSRF if not put in a cookie. However, XSS would exfiltrate the JWT. In this case, you can implement proof-of-possession tools.ietf.org/html/rfc7800.
Bad token; invalid alg
Hi can you hack carrom pool gems and coins please
Nope, sorry!
Can you send me file carrom
Sorry, How add in burp in request JSON WEB TOKENS?