How Hackers Hack JSON Web Tokens

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
every time you've hit onto the website you got to make a call gotta identify yourself and by identifying yourself then are you able to run those calls say for example to log in to change your password to change your profile photo to search to do anything as a result of that what we're targeting here is to forge our identity pretending that we are someone else and see if that works out in order to run that and to make that happen we'll be targeting something called Json web token [Music] now before we get started remember to put on your thinking hat right here let's go ahead and put that on so that we can get started on today's tutorial so on the left side you have your best friend Mr heckleloy who is going to Target a specific website so on the right we have a web page and what happens typically is that the website needs to authenticate the user for authorization and what happened is a long website now use application programming interfaces so anytime you do a search all right you run any type of instructions over you need to Target the API and you need to provide some kind of value and in this case we have Json web token that is sent along with the web request in order to demonstrate who you are so what we'll do is attacker is to one decode a normal Json web token and then two change up the value so they will now be able to disguise ourselves instead of Mr hack along we can discuss ourselves as say admin and with if that gives us a lot more power to Target all this different type of apis going into the website possibly even giving us administrative access to the site so right in front of us went on Kali Linux so car Linux is going to be ethical hacking operating system to help us identify the vulnerabilities the openings on the website for us a Target and there's a few interesting things as you're running through the website where you could be searching for things so you could be entering say test or whatever give me literally anything you click onto the account you click login and you can enter your login details so in this case I have already created an account so let's go ahead and enter that hackereloy at loyalandyoung.com and I can enter my password which is a very secure password and if you don't want a password is getting just click on a show password there you go I tell you you can trust me go and click login on that and you can see right here on the top right corner we have a count of hackaloy at Loi liangyang.com and we'll be navigating across different parts of the website so say for example I go to customer feedback and I could see all the different details here I could go over into about us and all this different data so again I can go over into more tools web developer tools again search for ad hit enter on that and see what we get and perhaps we can find some possible information for us to use as part of launching the attack so this is something we can do as part of listing down and enumerating all these different uses and lists so that we can go after and say here right here you can see the following we have something juice dash s h dot op so in this case I love this shop best products in town highly recommended and we have of course asterisk asterisk asterisk i n so what could this be could it be admin all right so admin could be a choice for us and what we can do now is we can go ahead and list that now so here I can go ahead and enter say admin add juice all right shop okay dot op all right so here in this case we have those details so go ahead and search some more and see whether we are able Define more possible details so again we have three asterisks so we're not sure but we know that the three characters there so again we can enter the information here so that we can use this information later on as far as speeding up the way that we are launching the attacks against the target server all right so let's go ahead and search for the next one once again we have something d-e-r and Juice sh dot op so once again I'm not sure what's the answer for it but let's go hit and enter it first anyway so later on when we're launching our attacks it's going to be much more narrow next up what we can do here is to intercept and understand how requests are getting sent over into the target site so that's something we need to do in order to better understand how perhaps some of this authentication authorization process is being run on the Target website so that we can try to change those values a little and see how the website responds to those changed values so here I've turned on Burp Suite which is going to be our Interceptor and what I can do now I can go back to the website go to the top right corner on the foxy proxy click onto burp Suite jump back over to burp Street and we can see right here a proxy into sabazon and what I can do now is there's a couple of things I can click say account click login all right so we have the interception I can click forward all right and once we're in here I can try to log in so let's say I enter the following information again and I followed by the password I click login so once I click login I can see some details right here okay I click forward all right and we can see all this other details I click forward again forward again and all this data so I can go back to http history and we can see several interesting information here okay so we have the following of get user all right who am I and in this case if you see the following details we can see all right we have referral with cookie I have again who am I I can see continue code I can click user login and we can see welcome banner and all this different data all right so as we are surfing through the side we're seeing all this different type of data all right so let's go ahead and click.com for this all right and go ahead and enter we'll log in one more time okay and go ahead and intercept and forward all these different details all right and we can see some other details here we have get rest basket and we have an important detail which is authorization Bearer and if I scroll down further we also have another piece of information which is token followed by the token is inside here okay so I can go ahead and click follow it again we are seeing more details of authorization Bearer right followed by the token right at the end all right so always a important information because it demonstrates that whenever we do AC get brass user who am I we are telling them who we are in order for the call to determine whether they should respond with those details so let's go ahead and forward that so you can see lots of information here slash API quantities right all this different data so you can go to http history you can look over here API quantities all right so we have the authorization barrier token all these different details okay and what we can do now whether it is rest slash user who am I or whether it is API quantities what we want to do here is to be able to change up the value a little and see what we get so first we want to decode it and two we want to change the value and see how website respond for us so I can do a right click and I can send it to something like say repeater and once I send it over to repeater we got some details here so we got the authorization and you can see right here based on the value or I base on how a lot of sites may be trying to check upon a user is under the authorization barrier all right so here what we can do now is I can go ahead and try to decode this so what we can do now is go over to jwt.io and jw.io though we have a debugger all right and what we can see here is the structure of the Json web token so you can see the components on the right so first you have the header which has the algorithm and the types in this case we can see for example Json web token and next up we have the payload so payloads are data within the Json web token so it could be in this case a name and of course in some instances there could even be password there could be many sensitive data within the payload and finally I'm going to verify signature which you can use depending on the type of algorithm is in use what you can do now is go ahead and paste the encoded value right here on the left and on the right side it will show you the information here so we got the header like the type already the algorithm and we're going to pay a lot of information right here here so we got a username the ID the email address password information which is really interesting let's take a deep life on that and of course we got to roll the deluxe token in all of those data all right so all this important information and right at the end we have a verified signature right so in this case we have RSA shar256 so what we want to do here now is perhaps let's take a look at the password view which is quite interesting because this could be used possibly for hijacking let's go ahead and take a look at that so now what I'll do is go ahead and double click on this copy it go to a website signal md5online.org and go to MP5 Dash decrypt.html and once you're in here what you can do is go ahead and paste that value click decrypt and let's take a look at the password and again if I scroll down further you can see right here found one two three four five six seven eight that's the password that we use and oh yes if you want me to validate your password you go ahead and enter your password comment section I'll do it for free and this is not what we are trying to achieve here today what we are trying to achieve here today is to think about what can we do to change up the value a little bit so that we can forge someone's identity we can use someone else's identity to do something all right against the Target website so that's what you're trying to aim for here so what I can do now is go ahead and say change up say for example the algorithm can I change the algorithm to say none and how would the web server respond so what I can do is I can copy the value over here all right and I go over to burp Suite I can go to something like the decoder tab I paste it over here and I will put this as encode or in this case as base64 and I can go in and copy the value here drawing to say something like a text editor all right and I followed by Dot and now what we want to do next is go back over here into the payload right and in this case perhaps I'm aiming for a specific ID all right and I do not care about the username and in this case perhaps I want to change up the email to say admin at juice shop.op all right so this is the information we got and typically the very first user in a lot of websites with the idea of one is going to be the administrator so that's what we are targeting you know we have all these other details let's go ahead and copy all this information right here and go ahead and code it and what we can do now is go over the website like base64 and code.org paste the value right here and go ahead and click encode right at the bottom and once you're done with that scroll down there and you'll be able to see the value and we want to copy this value all right over into our crafted payload so here go ahead and paste that in and now we have it enter the last Dot and in this case if you were to go back over into Json web token right at the bottom we have the verify signature we do not need this anymore because the algorithm is none so you can see see right here we are back to burp string and this is the original request so if I go ahead and send this over to the Target website we get the following response of id22 hackaloy at loyalangang.com and all this different details so 200 okay so now what if we change this up a little bit I go back to our text editor I copy the information right here and I go back to prep Street and now what we're doing is to change up the information in authorization so let's go and change that up paste it over all right and we can go all the way to the end all right and we have the following token okay so I can again paste this over all right and let's see what we get okay and of course in this case let's change up the X User email too just to make sure that with consistency admin at juice Dash s h dot op go ahead click Send and we can see right here we have 200 okay and I can see right the bottom we get the following response id1 admin and Juice Shop now jump back over their website and we want the hijack.com by changing the password so I go top right corner account I go to privacy and security I click on the change password and right here I'm going to go to top right call on a foxyproxy click onto burp Suite so what you can do now is go ahead and enter the current password okay and followed by the new password so in this case I'll put one two three four five six seven eight doesn't matter and once you're ready go ahead Click Change and here we have the interception I can send it right click to repeater and what we want to do now is to replace the bearer token as well as the cookie value that we have here on the token so let's go ahead and do just that so copy the whole chunk of value right here go back to burp suite and what we can do now is paste it over onto the authorization barrier token likewise for the token on a cookie paste it over and in three two one click Send and you can see right here we got a following result all right we have username admin it means it's success we have a HTTP 200 okay so what I can do here now is I can go back over to the website I can turn on foxyproxy I click to account I click log out I click account again and click login and now in this case I can enter admin add Juice Shop followed by the password one two three four five six seven eight so the reality is I don't even need to password I click login and boom look at top right corner we are in we have hijacked it into deer count isn't that amazing isn't that beautiful and like share subscribe to our notifications so that you don't get hacked
Info
Channel: Loi Liang Yang
Views: 89,572
Rating: undefined out of 5
Keywords: hacker, hacking, cracker, cracking, kali linux, kali, metasploit, ethical hacking, ethical hacker, penetration testing, penetration tester, owasp, jwt, json
Id: RFKbHrqMiv8
Channel Id: undefined
Length: 13min 14sec (794 seconds)
Published: Sat Oct 22 2022
Related Videos
how hackers hack any websites in minutes?!
Loi Liang Yang
217K
Cracking JSON Web Tokens
The Cyber Mentor
54K
UBUNTU FIX: Unmet dependencies: Recommends: libsdl-ttf2.0-0 but it is not going to be installed
Haggai Odanga
3
How Hackers Hack Websites Usernames and Passwords?! remote code execution
Loi Liang Yang
23K
What Is JWT and Why Should You Use JWT
Web Dev Simplified
1.1M
3 Levels of WiFi Hacking
NetworkChuck
1.5M
Hack JWT using JSON Web Tokens Attacker BurpSuite extensions
thehackerish
41K
Remotely Control Any Phone and PC with this Free tool!
Loi Liang Yang
728K
How To Hack APIs with Python
John Hammond
82K
How Hackers login to any websites without password?! WordPress hacking
Loi Liang Yang
41K
Difference between cookies, session and tokens
Valentin Despa
574K
JWT Authentication Tutorial - Node.js
Web Dev Simplified
1M
watch how Hackers Remotely Control Any phone?! protect your phone from hackers now!
Loi Liang Yang
1.1M
JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF
John Hammond
66K
Free Hacking API courses (And how to use AI to help you hack)
David Bombal
93K
how to HACK any password?!
Loi Liang Yang
629K
how hackers hack any website in 9 minutes 6 seconds?!
Loi Liang Yang
523K
catch EVERY reverse shell while hacking! (VILLAIN)
John Hammond
216K
Session vs Token Authentication in 100 Seconds
Fireship
993K
How Hackers Bypass Two-Factor Authentication (2FA)?!
Loi Liang Yang
102K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.