JSON Web Keys (JWK & JWT) - 'Emergency' - HackTheBox Business CTF

preview_player
Показать описание

  1. John Hammond
Рекомендации по теме
JSON Web Keys 0:29:09

JSON Web Keys (JWK & JWT) - 'Emergency' - HackTheBox Business CTF

Demystifying JWK & 0:05:15

Demystifying JWK & JWKS | Keycloak JWKS Endpoint

JWT Attack - 0:04:21

JWT Attack - JWK - JSON Web Key injection

generate json web 0:00:31

generate json web key online

How to use 0:40:05

How to use JWT with RSA key-pair in micro-services. (JWKS.JSON)

Why is JWT 0:05:14

Why is JWT popular?

JSON Web Token 0:06:30

JSON Web Token Hacking

The Parts of 0:37:18

The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert

JSON Web Keys 0:09:40

JSON Web Keys - JWT_5

JWT jku&x5u = 0:17:00

JWT jku&x5u = ❤️ by @snyff #NahamCon2020

JWT | JWS 0:14:21

JWT | JWS | JWE | JWA | JWK

Learn JWT Series 0:08:02

Learn JWT Series - Asymmetric verification of JWT Tokens, RSA public and private key pair - Part 2

JSON Web Tokens 0:11:24

JSON Web Tokens (JWTs) explained with examples | System Design

JSON Web Tokens 0:00:40

JSON Web Tokens (JWT) Encryption Demo

JWE JSON Web 0:06:49

JWE JSON Web Encryption Tutorial & usecase

jwk to pem 0:00:30

jwk to pem convert online

18 Exploring Auth0, 0:17:03

18 Exploring Auth0, JSON Web Tokens, Signature Validation, JWKS, RS256, HS256, OpenID, Encryption

JWS vs JWE 0:04:34

JWS vs JWE

Что такое JWT 0:14:32

Что такое JWT и как его создать

JWT (JSON Web 0:10:07

JWT (JSON Web Token - Autenticação e Segurança) // Dicionário do Programador

JWT Authentication Bypass 0:14:02

JWT Authentication Bypass via jwk Header Injection

JWT with JWKS 0:16:23

JWT with JWKS in Apigee

JWT Authentication Explained 0:07:52

JWT Authentication Explained

JWT Attacks #4 0:05:52

JWT Attacks #4 - JWT authentication bypass via jwk header injection

Комментарии
Автор

I love it when u do the "WHY?"

ozhipxe
Автор

John: “Man, I’m falling apart”
Everyone: We’ve all been there John. We’ve all been there.

Thanks for the video:D

joeymelo
Автор

Every time, every video, I learn... I learn a TON. I earned my CS degree in 2012, which is for all intents and purposes, one complete stage of evolution of the field. I missed streamlined AI/ML, as they were all electives that required department approval. I also missed in depth server side scripting such as JSON, but we DID do a lot of PHP and our main focus coding wise was C++.

We learned nothing pertaining to pentesting or security measure beyond solutions offered in a basic web portal when one purchased hosting.
We did an oddly large amount of assembly, as well.

I've learned more about security, malware, and generally understanding what you present here than a 4 year degree. You are awesome and have a forever subscriber.

alexlefevre
Автор

Actually super helpful to me. I have to use JWTs and I didn't understand them at all. This helped so much and allows me to avoid a pitfall of them as well.

Dygear
Автор

I enjoy these ctf videos so much! Thanks for the content John, keep these daily uploads!

cheezedoodles
Автор

I really liked the première! I think this will be really useful in many occasions. Thanks John!

matteoleone
Автор

This for some reasons gave me a pico ctf challenge flashback that john did, it involved JWT

kyand
Автор

I hope in the future to solve things like you do, great job John!

TheOcta
Автор

@18:31 you killed gunicorn again after killing it near minute 18, but you didn't kill nginx either time :D

gokoo
Автор

I have been studying networking for the last month and I still have Zero clue what he does with these videos but I am DETERMINDED to figure it out so I can not only follow him on videos but also Solve these problems myself!!! Thanks for the video! loved your cast on HTB battelgrounds and here's hoping for more!

kylefaust
Автор

Good one, still watching from Brazil in 2023

jocsamisrraine
Автор

Great video. I learn a lot from your channel.

chippyswoodworking
Автор

Depending on how the check is setup on the server side you might just have been able to create a new token with username: admin. Not all apis check the signed part only that the jku matches

tehvvisard
Автор

Great video as always!, much love man <3

zombie
Автор

John this one was a bit confusing to follow, maybe next time some more slow pace. But loving this series keep on o/

pengrey
Автор

Python4... I just stared into the eyes of the future!

dedkeny
Автор

Weird question... was the "rogin" screen sanitized?

DizzySpark
Автор

Minute 15: alg, alg, alg!!! Something you don't see the things in front of your eyes 👀😂

Maik.iptoux
Автор

Why does Jwt allow this behaviour ?
I mean there should be some strict content Policy like "JWT" can only be checked to a domain which it is used by or something, everything else is really stupid isn't it ?

xXReVo_LuTiOnXx
Автор

whats the main takeaway? how come the jku location can be changed to anything? please talk about what the vulnerability was here - just human error?

MaZe