What does JSON stand for?

this is a very vulnerable backend that won't exist in real world

I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore

Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe

Nope if i wrote that backend. 1. Never put password in payload. 2. Password should be hash not encrypt 3. if the algorithm does not exist in header of JWT then it returns 401 Can still you beat that? Let me know

Video Suggestions: 1. Video About wireshark And wifite 2. Video on how to hack any pdf's password with "rockyou" wordlist 3. Make a video about anonymity with kali "whoami" 4. A video on how to dual boot Kali Linux 5. A video a on BYOB Botnet 6. Full tutorial about Burpsuite

You explain like a learner not a tutor and we understand as a master trainer ! Too good! From india

This is highly unlikely situation, but yeah a determined hacker and a foolish developer, anything is possible.

No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.

Wow your the real Mr.Robot with full explanation. Thank you for the video.

JWT are used for many years. Standard technology. If there was a flaw in this tech making it hackable would you first hear it on youtube? These are entertainment videos, if you fall for the style of this guy.

Thanks! I've been searching how to get it and this is brilliant :D

MD5 can't be decrypted unless you have a dictionary, so this wouldn't work in real life if the owner of the system is not that predictable, but I always watch your videos because you explain so well everything. Keep up the great work!

I'm learning about JWT and you explained it better

Usually the password is never contained in the jwt for security purposes....

Everyone, don't be too harsh on him, he's doing this for the general public. Not for programmers. Of course no serious site uses this sort of plain data without salt etc.

ok, ignoring what others have already pointed about displaying the password in the token payload and using insecure algorithms... Why is the password even there? you just sent a jwt with the admin username and your password, so either the admin password is the same as yours -and an important step of this video is forging a token for the user you are trying to impersonate- or the backend just doesn't check anything at all and you could just sent an empty jwt with role admin and call it a day.

Great. I can prevent hacking by your video. Thank you.

You don't put passwords (even hashed) in JWTs

Sir awesome your explain....which year did you learn hacking course?

Awesome tutorial Loi! As always thanks for sharing!

I learned a lot from you Thank you my beautiful teacher loi I wish I could shake hands with you in real life ❤️❤️🌹

This is if u try to hack a noob developer :D

Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.

This is a rather poor example of abusing JWT's, JWT's are never used raw like this, it's common practise to sign them with an algorithm + secret so that the API can verify it has not been tampered with.

Have you ever thought about doing digital forensics? so you know what forensic investigators look for to catch hackers and you can know how to evade that detection.

Just make sure to use REDIS to validate the token.

Site who dont check for jwt signature deserve to be hacked

Excellent video. I am now trying to hack my own API 😂😂. If we provide algorithm while decryption then we can avoid this attack

Passwords never appears in JWT. Just ids or roles. And we verify the token with certs every request so its not a problem :P

Which is why no framework/library/website allows alg:none by default.

I tried and it is installed thank u very much anda

Thanks!

This is basically "How Hackers Hack minecraft fanblog not updated since 2010 written by a teenager as a first website project". Plaese have some decency to provide information about how extremely insecure an api has to be for it to work. At least explain how JWTs work and how they are protected if you're "teaching".

That backend is bonkers

Nice video, but when I use the MD5 decoder it comes back as "Bad Format"... Doesn't work.

explain about how we can exploit a camera over network

hold on a second, who made that JWT? how would anybody add password there! that's nonsense. More than hacking this is just bad software development example on that website creator 🤔

this is a bad implementation of the standard. Especially the password and the algorithm which we must enforce on the backend and never take it if it is none...

what foolish developer would even put their passwords in the JWT claim?

Loi Yang , I saw this video what if you change the role customer to admin ? Would it be more easy to bypass I guess ? Or I am wrong ?

Please make a video on captive portal setup on router🙏❤️

He's so good at what he does.

LMAO!! I was rolling with that "super secure password"

Thank you so much you really help me :)

This is really unrealistic. No professional programmer worth their salt would ever right a backend like the one you hacked. Good programmers never store sensitive data in a cookie, they don't use outdated MD5, and they use private keys or other tokens to encrypt.

i think the only time the password will appear is if the developer set it as "1" in Controller....

JWT_Tool automates the task but most of the websites have protection against the None algorithm attack

well, thanks mr Loi

Password in jwt is nuts. Then why use jwt at all, might as well use basic auth. On top you have TLS,. You can't really steal the jwt, unless you make some extremely complicated XSS attack that probably won't work after all when you're lucky enough to ever get a script into the site. Even then, you can't steal it unless the developer put it somewhere where you can reach it, which you probably can't. To hack a site with even just the most default measures, you have to be very, very motivated to hack it. For the majority of sites it's just not worth the time, and for those that are worth it, this isn't going to work.

what kind of backend does not verify jwt?

Now I know how to hack Jason's password. Didnt knw every was after him as well.

He lost me when he said " change the token to admin " doing so invalidates the token. The server will reject the token !!

How to gunzip a compressed payload?

what if there is only the user id stored in the token for eg i use that

Hey guys Let me know, where are you from? Comment below I'm from India 🇮🇳

Given up on members only? Either way, excellent vid! Any chance you could do a tutorial on c2?

Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?

Nice video, it works!

this is tutorial "how to make JWT inside your app authentication hackable"

you deserve to be a comedian 😆

backend devs are suposed to DO NOT send back the password.

💜💜sir plz your hacking lab setup please 💜💜

CAN YOU HELP MAKING VIDEO ON GETTING ACCESS TO SAVED PASSWORDS On ANDROID APPS OR PASSWORDS SAVED IN BROWSERS.

Make a video on Openbullet 2

haha there shouldn't be a password claim in the token

Yes Bro nice work and nice video

Wear on your thinking cap 🧢 this is for educational purposes only! Hacking without permission is illegal and ethical hacking is preformed under the supervision of law. You can get into big trouble then you go to jail 🤓🤓🤓

The password is in the claims of the jwt?!? No one does that. And if they do they should not have

Does samsung knox protect the phone from hacking

Yeah, I'm using whitelist. Also the only thing I'm puting in my payload is user id which is in uuid, good luck finding the admin.

I won't answer that for you Loi

Why would the server respond as OK at 11:43 if the password in the json token for the admin account is possibly wrong?

Hello Can you help me my microsoft account got hacked and you seem as you can get it back i already contacted microsoft but they said they cant access it either because he changed the security Informations so please help me and if you cant do you know someone who can ?

Please I need your help someone is trying to hack my website by creating multiple user account what can I do

Hi sir! Please sir can you please help me. I've been scammed. I don't know what to do anymore. For the chance of taking my money back I ask for help of people i thought will help me but they just ask for money an they give my money back instead they got money from me. Please help me sir. I cant sleep anymore

you are awesome

how do you get past the secret

Ah yea, the good ol' md5 hashed user password inside jwt claims. Classic

could u maybe try to figure out a prevention for this.....ya know before you post this code tutorial that a criminal may use to steal from to the public internets???

Jet Skis on Neptune

Lol is very vulnerable backend. Stores the password of the user in the JWT, it doesnt make any sense, cause this is the purpose of the JWT

Great vid for starters. But was engineered to be a successful hack experiment.. Relies on endpoint server allowing unencrypted tokens in bearer auth. port 3000.. so a node app? So what you used express-jwt & set the algorithm array to accept sha256 or no-encrypt? Sorry, but that's a bit silly. If someone did that on their server app, then they deserve to be hacked. Further... what kind of developer puts the encrypted password hash in the jwt token response; and further relies upon it for "current password" checking onChange request? Never trust anything from the client. That's rule #1. I mean... Again... this was engineered to be a successful hack experiment. It was a great entry level experiment don't get me wrong. I just ... i just don't know why i feel dirty after seeing this, so had to say something. Perhaps I know too much and I just need to go find my corner and sit in it, away from everyone else for a while....

My Facebook account hacked not showing in Facebook help me to recover I don't have money plzz help

Thanks

can you beat Bjorka?

Hacker Loi this is great info. How do more of this kind

Hi Loi. Nice video - would you recommend sessions for API's that need more security ?

This is the problem for all web backends that are written in js

Computer specs reveal plsss

how does one hack slmail?

I don’t understand why you would put a password in a jwt the server already has it. But if it did it would be salted and sha256. Md5 was like 15 years ago and even then it would still be salted.Also algo:None doesn’t work on real websites.

OP ❤️

thats overly simple, all based on unsecured cookies and only encoded. This is early 2000's hacking ahahahha

hey man I am from africa and I dont have the money to be an exclusive member so i was just asking if you could give me a pass to your membership

Which best to learn C or C++

Are you kidding me mate? This is no way to hack jwts, this is just crappy, unsecured backend.

Pls help. How to hack the location of the person using phone number? I also need to hack his computer and phone to delete some photos 😭😭😭 pls help me.

Hello Mr yang are you available to hire

didnt know it was that easy to get hacked. d hell