How Hackers Hack JSON Web Tokens

Рет қаралды 90,166

Жыл бұрын

// Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: / @loiliangyang
// Courses //
Full Ethical Hacking Course: www.udemy.com/course/full-web...
Full Web Ethical Hacking Course: www.udemy.com/course/full-web...
Full Mobile Hacking Course: www.udemy.com/course/full-mob...
// Books //
Kali Linux Hacking: amzn.to/3IUXaJv
Linux Basics for Hackers: amzn.to/3EzRPV6
The Ultimate Kali Linux Book: amzn.to/3m7cutD
// Social Links //
Website: www.loiliangyang.com
Facebook: / loiliangyang
Instagram: / loiliangyang
LinkedIn: / loiliangyang
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers.

Пікірлер: 261

@LoiLiangYang Жыл бұрын

What does JSON stand for?

@nickpapaefthimiou4829 Жыл бұрын

Btw nice videos keep it up

@allshorts-a1661 Жыл бұрын

JavaScript Object Notation❤️

@JontheRippa Жыл бұрын

JavaScript Object Notation

@kerhabplays Жыл бұрын

Java's Son on Nite

@socksoff5th Жыл бұрын

Jesus Christ… that’s JSON Bourne!!

@aidenkwong2595 Жыл бұрын

this is a very vulnerable backend that won't exist in real world

@hussainbharmal5998 Жыл бұрын

Thanks for the tip, i immediately stopped watching the video after reading your comment.

@RichardPhillips1066 Жыл бұрын

Details needed if want you to oppose a video , otherwise it's just your word against his with no proof , In short no one will care

@SergeiKarimov Жыл бұрын

@@RichardPhillips1066 alg:none is not accepted by any real world website. Also storing password in JWT as MD5 hash is even more stupid

@alexwyner1919 Жыл бұрын

Yes this site is intentionally vulnerable as a learning tool, but you'd be surprised what fuckery people do when they're lazy

@Andreas-gh6is Жыл бұрын

@@SergeiKarimov both has happened a lot and may even still be happening. But this is a webgoat which is meant to demonstrate why it is not a good idea to forget about alg:none.

@joshuafountain Жыл бұрын

I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore

@ReligionAndMaterialismDebunked Жыл бұрын

Lol. You're wrong then. Quick to judge, fool. Plus, you didn't end your last statement with any closing mark(s). 💀🤡

@ReligionAndMaterialismDebunked Жыл бұрын

O.o Plenty of bounties rely on these API keys since API keys are barely looked at by most security people, and by most web developers, as plenty of successful ethical hackers explain they get paid a ton by these exploits. Many don't encrypt keys, leave them out in the wild, and then they're weak algorithms to begin. They're not encrypted, they're just hashed. So, you're just wrong on that.

@ReligionAndMaterialismDebunked Жыл бұрын

A lot of haters in the comments, but plenty of us realize plenty of people do make their sites vulnerable with bad API keys. Lol. Just as many say they wouldn't use a default password, or fall for phishing, but many do. 💀💀💀🤣🤡😅

@mamenatech Жыл бұрын

Nope if i wrote that backend. 1. Never put password in payload. 2. Password should be hash not encrypt 3. if the algorithm does not exist in header of JWT then it returns 401 Can still you beat that? Let me know

@IvanRandomDude Жыл бұрын

He also used md5 which was broken like 15 years ago. Even if you put password hash in JWT by mistake, if it was any decent hash like SHA256 he wouldn't be able to do anything

@mamenatech Жыл бұрын

@@IvanRandomDude anyway, what kind JWT sistem does't verify incoming JWT, right?😂

@mamenatech Жыл бұрын

@@IvanRandomDude looks like the video is just for entertainment

@weikealenphinjaya5837 Жыл бұрын

yep, true.. always remember, never put password in JWT payload.. even if u already bcrypt the password, still, don't ever put it inside JWT payload..

@AMoktar Жыл бұрын

Noone can, just targeting high rank keywords for hackers dumbs for views

@axelqt1 Жыл бұрын

Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe

@Elte156 Жыл бұрын

The original JWT did have a secret key (using the RS256 type). He intercepted and sent over a perfectly valid JWT after modifying it. The real problem is that the backend server accepted the "typ: None" JWT. When it should ONLY be allowing and validating "typ: RS256" JWTs. The backend server is poorly misconfigured.

@LuomuKekkonen Жыл бұрын

You would be able to decode it, but not to forge it like this. Any normal web backend would check the signature of the JWT and notice that it is forged, and that's where this attack would stop.

@pixelotetm Жыл бұрын

Exactly. only the jwt token without passwords and email. should appear on the payload. 👏👏👏

@alee_shehbaz Жыл бұрын

exactly

@piotrm795 Жыл бұрын

@@pixelotetm and id should be a guid, not the number

@TheOriginalJohnDoe Жыл бұрын

No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.

@Abdul786Munaf Жыл бұрын

Sir awesome your explain....which year did you learn hacking course?

@slimoveis3751 Жыл бұрын

Thanks! I've been searching how to get it and this is brilliant :D

@linux2698 Жыл бұрын

Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?

@juliusrowe9374 Жыл бұрын

Awesome tutorial Loi! As always thanks for sharing!

@kiran-nambiar Жыл бұрын

This is highly unlikely situation, but yeah a determined hacker and a foolish developer, anything is possible.

@marjmarj6407 Жыл бұрын

Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.

@rickifunk51 Жыл бұрын

Do a roll back if you are on windows, back to a previous saved point.

@HackerCifish 4 ай бұрын

Video Suggestions: 1. Video About wireshark And wifite 2. Video on how to hack any pdf's password with "rockyou" wordlist 3. Make a video about anonymity with kali "whoami" 4. A video on how to dual boot Kali Linux 5. A video a on BYOB Botnet 6. Full tutorial about Burpsuite

@zip-taw Жыл бұрын

Wow your the real Mr.Robot with full explanation. Thank you for the video.

@PeterVerhas Жыл бұрын

JWT are used for many years. Standard technology. If there was a flaw in this tech making it hackable would you first hear it on youtube? These are entertainment videos, if you fall for the style of this guy.

@nigampatel6383 3 ай бұрын

Loi Yang , I saw this video what if you change the role customer to admin ? Would it be more easy to bypass I guess ? Or I am wrong ?

@ecodersjo 11 ай бұрын

what if there is only the user id stored in the token for eg i use that

@hemanacademyandsecurity Жыл бұрын

You explain like a learner not a tutor and we understand as a master trainer ! Too good! From india

@fatiuspau8l551 Жыл бұрын

Given up on members only? Either way, excellent vid! Any chance you could do a tutorial on c2?

@hazed69 Жыл бұрын

wdym by tutorial on C2, its just command and control from server - client / client - server setup, idk what kind of tutorial you need in this 🤔

@matiasmiraballes9240 Жыл бұрын

ok, ignoring what others have already pointed about displaying the password in the token payload and using insecure algorithms... Why is the password even there? you just sent a jwt with the admin username and your password, so either the admin password is the same as yours -and an important step of this video is forging a token for the user you are trying to impersonate- or the backend just doesn't check anything at all and you could just sent an empty jwt with role admin and call it a day.

@EzequielRegaldo Жыл бұрын

Passwords never appears in JWT. Just ids or roles. And we verify the token with certs every request so its not a problem :P

@akifbora Жыл бұрын

what kind of backend does not verify jwt?

@reancode4518 Жыл бұрын

Great. I can prevent hacking by your video. Thank you.

@SergeiKarimov Жыл бұрын

He demonstrated the most basic alg:none exploit which you won't meet in a real world

@zuza0006 Жыл бұрын

I tried and it is installed thank u very much anda

@schlauadesmarti2292 Жыл бұрын

Hello Can you help me my microsoft account got hacked and you seem as you can get it back i already contacted microsoft but they said they cant access it either because he changed the security Informations so please help me and if you cant do you know someone who can ?

@mervinmarias9283 Жыл бұрын

LMAO!! I was rolling with that "super secure password"

@trevorsmith5991 Жыл бұрын

Thank you so much you really help me :)

@user-jo4lp5ll4v Жыл бұрын

I learned a lot from you Thank you my beautiful teacher loi I wish I could shake hands with you in real life ❤️❤️🌹

@hooyah Жыл бұрын

im junior web frontend, i use jwt in nextjs. but i create my backend(nestjs) app to set secret in jwt and never set password in the payload of jwt just set sub/id and ername/email. i think in the production people never set password in the payload and will set jwt secret. cmiiw

@daddydoooo Жыл бұрын

So this website does not verify the token and its signature before processing any requests, right? 😅

@yoonahworld Жыл бұрын

Nahh u only have those info because ypu are logged in though...

@daddydoooo Жыл бұрын

@@yoonahworld Nah~ every systems I have developed, i will check that user and token signature match with data in cache (like Redis) at least.

@zmaxzmax4291 Жыл бұрын

Does samsung knox protect the phone from hacking

@nikosfanour Жыл бұрын

You don't put passwords (even hashed) in JWTs

@nikosfanour Жыл бұрын

You check if the hashed passwords match and then you never use the password again. You use JWTs and you refresh them.

@IvanRandomDude Жыл бұрын

On top of that he used md5 hash that was broken like 15 years ago and it's easy to reverse.

@Jawssalamalecu Жыл бұрын

@@IvanRandomDude you are confusing preimage resistance (which is still strong for md5) with collision resistance (which is the weak point of md5). While it is still not easy to reverse an md5 to the original value, you can find other values that will be hashed to the same encrypted sequence.

@obikenneth886 Жыл бұрын

Please I need your help someone is trying to hack my website by creating multiple user account what can I do

@spacesketsh Жыл бұрын

explain about how we can exploit a camera over network

@katarzynajuraszek106 Жыл бұрын

Nice video, it works!

@spike666spike666 7 ай бұрын

Nice video, but when I use the MD5 decoder it comes back as "Bad Format"... Doesn't work.

@toanba3444 Жыл бұрын

you deserve to be a comedian 😆

@AntonApostolov Жыл бұрын

he is not?

@Decrypto01 Жыл бұрын

Have you ever thought about doing digital forensics? so you know what forensic investigators look for to catch hackers and you can know how to evade that detection.

@SergeiKarimov Жыл бұрын

he exploits very basic vulnerability alg:none which is virtually impossible to meet in a real world

@Decrypto01 Жыл бұрын

@@SergeiKarimov I was talking about the phase of covering tracks... similar to how you would disable auditing, delete logs and then use cipher.exe to overwrite the deleted files to cover tracks.

@kolakeman-gpuro6916 Жыл бұрын

i think the only time the password will appear is if the developer set it as "1" in Controller....

@farhanlatifgazi Жыл бұрын

Usually the password is never contained in the jwt for security purposes....

@yurilsaps Жыл бұрын

The point of the video is not get the password in the jwt. Is forge it

@sebaperalta2001 Жыл бұрын

MD5 can't be decrypted unless you have a dictionary, so this wouldn't work in real life if the owner of the system is not that predictable, but I always watch your videos because you explain so well everything. Keep up the great work!

@Andreas-gh6is Жыл бұрын

Ever heard of rainbow tables? Also there are all sorts of MD5 decryption programs. And shitty password security is one of the most frequent vulnerabilities hackers use. But nowadays no framework/website will use MD5 by default. Or allow alg:none in JWT.

@kimgysen10 Жыл бұрын

LinkedIn got hacked in the past due to md5 hashing their passwords. I suggest not to do it ;)

@samrijijkot Жыл бұрын

@@kimgysen10 wait, seriously? they really used md5?

@sebaperalta2001 Жыл бұрын

@@Andreas-gh6is Yes, but at the same time if you salt your hash, the attacker may never crack it

@youraccountissuspended Жыл бұрын

how about bcrypt? is it better than md5?

@rosyprakash Жыл бұрын

CAN YOU HELP MAKING VIDEO ON GETTING ACCESS TO SAVED PASSWORDS On ANDROID APPS OR PASSWORDS SAVED IN BROWSERS.

@allshorts-a1661 Жыл бұрын

Please make a video on captive portal setup on router🙏❤️

@DEADCODE_ Жыл бұрын

I'm learning about JWT and you explained it better

@mamenatech Жыл бұрын

anyone who doesn't know how JWT works will say he's the best. that's tutorial for entertainment purposes only 🤣

@SuprousOxide Жыл бұрын

He explained how not to use them.

@oliviers.3592 11 ай бұрын

How to gunzip a compressed payload?

@Hugos68 Жыл бұрын

This is a rather poor example of abusing JWT's, JWT's are never used raw like this, it's common practise to sign them with an algorithm + secret so that the API can verify it has not been tampered with.

@johnpatrickmadrigal477 Жыл бұрын

Just make sure to use REDIS to validate the token.

@studiowebselect Жыл бұрын

Site who dont check for jwt signature deserve to be hacked

@mamenatech Жыл бұрын

Thats tutorial only for entertainment purposes 🤣

@sorrefly Жыл бұрын

Why would the server respond as OK at 11:43 if the password in the json token for the admin account is possibly wrong?

@ahmedyehia1538 Жыл бұрын

well you're right, but fun fact the admin password is 12345678 too.

@immor98 Жыл бұрын

Why？？

@manuelfrosi2799 Жыл бұрын

JWT_Tool automates the task but most of the websites have protection against the None algorithm attack

@DanielNuske Жыл бұрын

hold on a second, who made that JWT? how would anybody add password there! that's nonsense. More than hacking this is just bad software development example on that website creator 🤔

@shimmy5477 Жыл бұрын

Thanks!

@razorjhon2622 Жыл бұрын

This is if u try to hack a noob developer :D

@simonhylander7489 Жыл бұрын

how do you get past the secret

@YamikaniKalinde Жыл бұрын

That backend is bonkers

@Andreas-gh6is Жыл бұрын

Which is why no framework/library/website allows alg:none by default.

@DocMaggie Жыл бұрын

Everyone, don't be too harsh on him, he's doing this for the general public. Not for programmers. Of course no serious site uses this sort of plain data without salt etc.

@harshraj6264 Жыл бұрын

Excellent video. I am now trying to hack my own API 😂😂. If we provide algorithm while decryption then we can avoid this attack

@watchiwafcwatson4509 Жыл бұрын

What

@daddydoooo Жыл бұрын

Yes, just check the token algorithm and verify its signature for any requests

@tjaydk Жыл бұрын

Hi Loi. Nice video - would you recommend sessions for API's that need more security ?

@ReligionAndMaterialismDebunked Жыл бұрын

:3 Plenty of bounties rely on these API keys since API keys are barely looked at by most security people, and by most web developers, as plenty of successful ethical hackers explain they get paid a ton by these exploits. Many don't encrypt keys, leave them out in the wild, and then they're weak algorithms to begin. They're not encrypted, they're just hashed. So, you're just wrong on that.

@kimgysen10 Жыл бұрын

Password in jwt is nuts. Then why use jwt at all, might as well use basic auth. On top you have TLS,. You can't really steal the jwt, unless you make some extremely complicated XSS attack that probably won't work after all when you're lucky enough to ever get a script into the site. Even then, you can't steal it unless the developer put it somewhere where you can reach it, which you probably can't. To hack a site with even just the most default measures, you have to be very, very motivated to hack it. For the majority of sites it's just not worth the time, and for those that are worth it, this isn't going to work.

@macctosh Жыл бұрын

Exactly! jwt is used in place of a password. It's like a password in a sense but only valid for short period of time. so if you do manage to get a user's jwt. you have to use it within a short period of time ( usually less than 4 hours ) before it becomes invalid and prompting you to login with the real password. Taking into account the effort and time needed to steal a valid jwt. You have to use it immediately which will alert the user to a breach! furthermore there is nothing you can do to extend the expiration date. absolutely not worth the effort. I would rather try to steal the real password instead.

@johnniefujita Жыл бұрын

this is a bad implementation of the standard. Especially the password and the algorithm which we must enforce on the backend and never take it if it is none...

@auriliomike2199 Жыл бұрын

Hi i’m new here how can i get membership ?

@rouen768 Жыл бұрын

Yes Bro nice work and nice video

@calisthenicarts312 Жыл бұрын

how does one hack slmail?

@JacobKasperek Жыл бұрын

This is basically "How Hackers Hack minecraft fanblog not updated since 2010 written by a teenager as a first website project". Plaese have some decency to provide information about how extremely insecure an api has to be for it to work. At least explain how JWTs work and how they are protected if you're "teaching".

@katendemusa5747 Жыл бұрын

Hacker Loi this is great info. How do more of this kind

@nicolasticonavaldivia6509 Жыл бұрын

backend devs are suposed to DO NOT send back the password.

@mahtabali8284 Жыл бұрын

you are awesome

@chriss887 Жыл бұрын

Hello Mr yang are you available to hire

@user-iv2lc9vg4b Жыл бұрын

Hi Chriss, chat my telegram ☝️

@mohammedalissah7637 Жыл бұрын

Which best to learn C or C++

@tatendabako6363 Жыл бұрын

c++

@mohammedalissah7637 Жыл бұрын

Why c++ is better than C

@srijan4622 Жыл бұрын

what foolish developer would even put their passwords in the JWT claim?

@dikaa2024 Жыл бұрын

can you beat Bjorka?

@ChrysalixDotOrg Жыл бұрын

The password is in the claims of the jwt?!? No one does that. And if they do they should not have

@macctosh Жыл бұрын

He lost me when he said " change the token to admin " doing so invalidates the token. The server will reject the token !!

@Elte156 Жыл бұрын

But the server didn't though! Changing the type to None made the token valid again because it doesn't need a signature anymore. The server is intentionally misconfigured to accept None typed tokens.

@macctosh Жыл бұрын

@@Elte156 Oh... why would any developer accept an unsigned token?

@Elte156 Жыл бұрын

@@macctosh they wouldn't intentionally. There was a few auth0 articles about notifying JWT library maintainers to check against this exploit back in 2020. Using "None" has an internal use case and it is valid according to spec.

@macctosh Жыл бұрын

@@Elte156 Wow... I didn't know... thanks.

@algatra6942 Жыл бұрын

well, thanks mr Loi

@blackhat5133 Жыл бұрын

OP ❤️

@sherriffs2554 11 ай бұрын

This is really unrealistic. No professional programmer worth their salt would ever right a backend like the one you hacked. Good programmers never store sensitive data in a cookie, they don't use outdated MD5, and they use private keys or other tokens to encrypt.

@bestbotreview Жыл бұрын

could u maybe try to figure out a prevention for this.....ya know before you post this code tutorial that a criminal may use to steal from to the public internets???

@SuprousOxide Жыл бұрын

1) Don't put the password, or anything intended to be secret, in the JWT 2) On the backend, make sure the specified algorithm is the one you expect (and definitely not none), and that the signature is correct (which an attacker can't forge after modifying data unless they know the key, which should be a secret)

@fairyroot1653 Жыл бұрын

Make a video on Openbullet 2

@M_IZAN Жыл бұрын

💜💜sir plz your hacking lab setup please 💜💜

@IsaacNewton80735 Жыл бұрын

Lol is very vulnerable backend. Stores the password of the user in the JWT, it doesnt make any sense, cause this is the purpose of the JWT

@DevSecOpsAI Жыл бұрын

I won't answer that for you Loi

@esra_erimez Жыл бұрын

Jet Skis on Neptune

@abdulhadiabbasi9147 Жыл бұрын

My Facebook account hacked not showing in Facebook help me to recover I don't have money plzz help

@bandaopsi Жыл бұрын

haha there shouldn't be a password claim in the token

@Hexadolf Жыл бұрын

Yeah, I'm using whitelist. Also the only thing I'm puting in my payload is user id which is in uuid, good luck finding the admin.

@arcanernz Жыл бұрын

I don’t understand why you would put a password in a jwt the server already has it. But if it did it would be salted and sha256. Md5 was like 15 years ago and even then it would still be salted.Also algo:None doesn’t work on real websites.

@AbdullahDataVerse Жыл бұрын

A way to talk with you 🥺

@allanwamute735 Жыл бұрын

hey man I am from africa and I dont have the money to be an exclusive member so i was just asking if you could give me a pass to your membership

@jobemesser984 Жыл бұрын

this is tutorial "how to make JWT inside your app authentication hackable"

@trendz14 Жыл бұрын

Hi sir! Please sir can you please help me. I've been scammed. I don't know what to do anymore. For the chance of taking my money back I ask for help of people i thought will help me but they just ask for money an they give my money back instead they got money from me. Please help me sir. I cant sleep anymore

@mattgoral1181 Жыл бұрын

Wouldn’t you need a private key to decrypt the jwt?

@tinashetanyaradzwamabika2422 Жыл бұрын

you only need the private key to verify if the token hasn't been changed. In this case he just decoded the token

@inhhaile7495 Жыл бұрын

@@tinashetanyaradzwamabika2422 that's the usage of public key, to verify if the token have been forged. The private key is used for signing a token instead. Normally if JWT uses RSA, public key can be published for all other parties to verify them as well

@majsingh2362 Жыл бұрын

Now I know how to hack Jason's password. Didnt knw every was after him as well.

@samson1695 Жыл бұрын

Computer specs reveal plsss

@App_galaxy Жыл бұрын

On the first top ten people to comment

@LeoMessi24Highlights Жыл бұрын

Thanks

@sandra508 Жыл бұрын

Pls help. How to hack the location of the person using phone number? I also need to hack his computer and phone to delete some photos 😭😭😭 pls help me.

@user-iv2lc9vg4b Жыл бұрын

Hi Sandra, chat my telegram