How Hackers Hack JSON Web Tokens

this is a very vulnerable backend that won't exist in real world

aidenkwong

I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore

joshuafountain

Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe

axelqt

Nope if i wrote that backend.
1. Never put password in payload.
2. Password should be hash not encrypt
3. if the algorithm does not exist in header of JWT then it returns 401
Can still you beat that?
Let me know

mamenatech

No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.

TheOriginalJohnDoe

Sir awesome your explain....which year did you learn hacking course?

AbdulMunaf

You explain like a learner not a tutor and we understand as a master trainer ! Too good! From india

hemanacademyandsecurity

Thanks! I've been searching how to get it and this is brilliant :D

slimoveis

This is highly unlikely situation, but yeah a determined hacker and a foolish developer, anything is possible.

kiran-nambiar

Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?

linux

Awesome tutorial Loi! As always thanks for sharing!

juliusrowe

Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.

marjmarj

I learned a lot from you
Thank you my beautiful teacher loi
I wish I could shake hands with you in real life ❤️❤️🌹

jolpllv

Video Suggestions:

1. Video About wireshark And wifite
2. Video on how to hack any pdf's password with "rockyou" wordlist
3. Make a video about anonymity with kali "whoami"
4. A video on how to dual boot Kali Linux
5. A video a on BYOB Botnet
6. Full tutorial about Burpsuite

HackerCifish

Wow your the real Mr.Robot with full explanation. Thank you for the video.

zip-taw

what if there is only the user id stored in the token for eg i use that

ecodersjo

Given up on members only? Either way, excellent vid! Any chance you could do a tutorial on c2?

fatiuspaul

what kind of backend does not verify jwt?

akifbora

Great. I can prevent hacking by your video. Thank you.

reancode

I tried and it is installed thank u very much anda

zuza