Do you prefer Tom or Jerry?

Correct me if i'm wrong! but the main reason for using the JWT is to verify the user without the need to connect a database and compare the values? and also changing the values of the payload misses completely the signature , which already encrypted with secret key and should be rejected in the first place, if someone uses the JWT without verifying it somehow in their website he shouldn't use JWT at all, it's like giving access to everyone and trusting blindly every user!! Steps as far as i know : 1 - get the JWT 2 - verify the signature by decrypting it using the secret key (the most important), exp ... 3 - proceed to the next step (perform any action you need) if 1 fails, reject everything if 1 doesn't fail and 2 fails reject everything if 1 and 2 doesn't fail now you can go to the step three and perform the action

Interesting technique, another scenario to add to my vuln checking, thanks for sharing

While this is good one, it very much depends on dal layer which is by default prevented by dal fw. Also someone using jwt must be using some sort of lib, and not.directly doing jwt implementation. So might not be taht much practical in real world.... Not sure if there is some one that idiot in real world.who queries SQL directly.

Brother, I love all your videos. They are concise, quick, no bullshit, no music and you could not have done a better job.

I'm a bit confused. I thought the whole purpose of the JWT being secure is that the token CAN'T be manipulated (without knowing the private key). When the KID property, EXP property, etc. was changed, I would assume the the server will immediately reject it because the signature would no longer match. Or is the JWT token being used differently in this example?

how did you know which table you needed to insert into ?

from a developers perspective highly unlikely to happen that someone will query a set of keys to just verify a token usually, the public keys are stored in some form of cache for a lower response time, and the "unsafe headers" are not usually passed down directly to any query. if the key is not found in the cache the authentication fails

how did key-id with sql query from some table that gives you no useful information, give you the authorization to delete user? server side key id targets nothing and server does not throw an error so then it authenticates you?

Sir Loi, it was a great hacking tutorial! But now the thing is, how can "we" secure our JWT tokens and the websites using JWT?

Is it possible to hack if MongoDB is being used?

1:18 - "We're trying to remove the cats account"... That sounds so wrong lmao

But the jwt tokens are created using a secret key in server . So if we change the payload then the server will not verify the token. Because the secret will be changed..So will this method work?

Did you really read those books thoroughly ?

How did you know the location? Usually I’ve had to run sql multiple times to escalate ad find location names.

Hello, Thanks for the video. How can we prevent this ?

Hey how did you learn to hack , like any courses or like college ?

I didn't understand how you knew the key?

Good brief, Loi. Thanks. I touch on this subject for the PenTest+ class I teach. Useful content here.

U always have good vids! 👏 Keep going!

How would you protect against this attack?

We must have a long random key. Am I right?

Where telegram group for basic hacking step by step thanks you so much🤔

is it mean you have to know the server containing the key first?

how yo get a m3u8 link with only the token data which expire in 10 second interval and a new token data arrives ?

Make a video in sql injection

I've also done this once in a CTF by setting the algorithm to none :D

Hi hacker loi sir,kindly make a video on kon boot please

every website encrypt token different with different algorithms. I tried that website and it didnt tell me token information.

Loi, I swear you're stalking me. I've just been doing labs all weekend on JWT and it was exploding my brain. Now you come along and make videos about this topic? Don't know if a coincidence or if you've hacked me

Sir, How do i watch member only content?

yah, no properly encrypted tokens and no csrf... what could go wrong?

I run linux but i can’t use anything because it’s telling me to remove Kali-menu when i try i get an error can anyone help me please?? 🙏🏻🙏🏻

So how can i protect my jwt from being hacked ?

Sir pls can you tell me how to join your telegram

So How can we use JWT safely?

Not all accounts have a delete button, they do have a encrypted password, or Gmail handles the password handling

Hello, How can I join your KZbin channel from Pakistan? Warm Regards.

Thank you Teacher Loi liang for the educative tutorials 🤝🏾.

Bro ...Any Other Possible to find signature (Key)...Explain Bro

How do you prevent this type of hack?

wait how did he know the name of the table?

What if pub or pvt key in place..? 😒

How to hack RS256 Json web token? Can u please make a video on that

This is bullshit. Just for contents sake.

Yehe , Exact , so how i can safe this in my web ?

Love all your videos dude... instead of hijacking an account I used it to turn my accounts into paid sub....

Ur awesome, thank you for sharing😊😊

Everything on KZbin about hacking is already exploited and patched

How to creat apk like open slot?

1 comment ur good men ❤️

Bro you scared me to death, my entire career is messed up because i use jwt token auth for users all the time

Holy crap.. my app depends entirely on the claims in the jwt :')

HI can anyone know how to watch video protected with pass word video master app

i want my playstation account back i have nto been able to log in in years and stupid sony wont give me it back sense i dont got a 4 year old payment option i have no access to even thought ihave proof on bank statements and i have no access to a old email it might be on that or my account for sony got hacked .

Sir can you me how to hack random android password ?

Yeah man, thanks for your vids!

Is hacking a sin?

there's tons of videos about this, but none about PREVENTION

Woooww Loi Liang Please, please friend activate the subtitles (es) to be able to follow you more clearly.

you can help me for hack token?

Keep Going 😇👌

Is adguard DNS safe

Bro create video your roadmap in hacking

Hi, here's a quick question if I may. New Formatted Win 10 system, install a few applications, suddenly I seen the mouse move and one of the desktop icon has been duplicated. I quickly shut down my machine, and rebooted it. Is that a way to try to steal the login id and access to an account? Should I reformat the computer again? thank you

Tnx what u did. Pls can u upload video how to hack wifi pass with termux app??

You making it looks like a toy.

Hi 'Loi Liang Yang' Please You Can Do a Help For Me Please Please

Thanks for the informative video!

There is no translation available into Arabic

That's why I add en encryption layer. To make it "harder"

Can you do a tutorial about what involves in a online game hacking?

I think all technique on youtube block soon

How to shutdown other peoples computer?

Love your videos

Can you provide a video on how to install Kali Linux on PC 64bit

Can you play a game Grey Hack

Keep up bro

Now that's i call real hacking

i love hacker loi to death but he’s starting to become a script kiddie

I prefer Jerry

Yes.

Amazing

Super cool

1st view

sir do video on mitmf installing in new kali release 2021 we are getting many errors while installing pls do a video of installing mitmf without getting any errors pls pls pls sir

Jesus Saves, John 14:6 amen 🙏🏾

❤️

Pink panther

Huh

OMG

Hi, may I ask what kind of token is this? And how to decode and encode this kind of token. FYAmWWi2cCtjIqwYtCllSGz-ZV3mZ5yRWQ_PK4RQR3A