JWT Key Confusion & Nunjucks SSTI - "Naughty or Nice" [Day 5: HackTheBox Cyber Santa CTF]

Рет қаралды 2,410

CryptoCat

Күн бұрын

Пікірлер: 14

@saketsrv9068 3 жыл бұрын

Man you are awesome ! Love You brother !!

@_CryptoCat 3 жыл бұрын

thank you bro 🥰🥰🥰

@austinjonestyler 3 жыл бұрын

really appreciate y'all.

@_CryptoCat 3 жыл бұрын

🥰🥰🥰

@jorgevilla6523 3 жыл бұрын

always learning with this video! Thanks for doing this!

@_CryptoCat 3 жыл бұрын

thanks mate, glad it helps 🥰

@gordonfreeman6262 3 жыл бұрын

very cool video! 15:23 why would anyone verify their JWT with an additional algo? like if you're signing them with RS256 why verify with either (RS256 OR HS256)?

@_CryptoCat 3 жыл бұрын

thank you mate 🥰 very good question! i would of assumed that this would only arise from developer error but apparently some argue "some servers need to support more than one algorithm for compatibility reasons" - auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ 😕

@dominicldoe4838 3 жыл бұрын

You make great videos. What about the other 4 challenges?. I think you solved 22 or 23 out of 25 out of all. I looked it up from the scoreboard as you were in top 100.

@_CryptoCat 3 жыл бұрын

thanks mate 🥰 i got 21/25 and came around 60th place. i'll probably not make any videos for this CTF but if they retire some of the other day 5 challenges i will do 😁

@AUBCodeII 3 жыл бұрын

Hey CryptoCat. I don't know anything about pwn and reversing (except than to read its strings in hope to find the flag). Can you please tell me where I can learn how to solve this kind of challenge? Thank you very much!

@_CryptoCat 3 жыл бұрын

sure! i've made a list of my favourite resources here: github.com/Crypto-Cat/CTF#readme but the main thing is just keep working on the practical side of things; spend time on challenges when you can and try to understand the writeups after, before you know it you'll be the one making the writeups 😉