JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF
Рет қаралды 67,082
2 жыл бұрынIf you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
@user-oz5hi1px7e 2 жыл бұрын
I love it when u do the "WHY?"
@joeymelo2882 2 жыл бұрын
John: “Man, I’m falling apart” Everyone: We’ve all been there John. We’ve all been there. Thanks for the video:D
@Dygear 2 жыл бұрын
Actually super helpful to me. I have to use JWTs and I didn't understand them at all. This helped so much and allows me to avoid a pitfall of them as well.
@alexlefevre8226 2 жыл бұрын
Every time, every video, I learn... I learn a TON. I earned my CS degree in 2012, which is for all intents and purposes, one complete stage of evolution of the field. I missed streamlined AI/ML, as they were all electives that required department approval. I also missed in depth server side scripting such as JSON, but we DID do a lot of PHP and our main focus coding wise was C++. We learned nothing pertaining to pentesting or security measure beyond solutions offered in a basic web portal when one purchased hosting. We did an oddly large amount of assembly, as well. I've learned more about security, malware, and generally understanding what you present here than a 4 year degree. You are awesome and have a forever subscriber.
@Joettyy Жыл бұрын
hows it going now?
@cheezedoodles3447 2 жыл бұрын
I enjoy these ctf videos so much! Thanks for the content John, keep these daily uploads!
@gokoo123 2 жыл бұрын
@18:31 you killed gunicorn again after killing it near minute 18, but you didn't kill nginx either time :D
@kyand920 2 жыл бұрын
This for some reasons gave me a pico ctf challenge flashback that john did, it involved JWT
@TheOcta5 2 жыл бұрын
I hope in the future to solve things like you do, great job John!
@matteoleone5705 2 жыл бұрын
I really liked the première! I think this will be really useful in many occasions. Thanks John!
@jocsamisrraine 7 ай бұрын
Good one, still watching from Brazil in 2023
@tehvvisard 2 жыл бұрын
Depending on how the check is setup on the server side you might just have been able to create a new token with username: admin. Not all apis check the signed part only that the jku matches
@villager8358 2 жыл бұрын
its GREAT that you upload daily!
@kylefaust7743 2 жыл бұрын
I have been studying networking for the last month and I still have Zero clue what he does with these videos but I am DETERMINDED to figure it out so I can not only follow him on videos but also Solve these problems myself!!! Thanks for the video! loved your cast on HTB battelgrounds and here's hoping for more!
@charlesejiegbu5372 9 ай бұрын
Hey, it’s been a year since you made this vow, how’s it been going since then? Have you made some progress in your learning thus far?
@chippyswoodworking1765 2 жыл бұрын
Great video. I learn a lot from your channel.
@Sarveshpanditrao 2 жыл бұрын
Setup tour
@aumbhatt5339 2 жыл бұрын
He already did one 6 months ago...
@zombie9503 2 жыл бұрын
Great video as always! , much love man
@BearkFearGamer 2 жыл бұрын
Amazing man, you're are expert!
@pengrey 2 жыл бұрын
John this one was a bit confusing to follow, maybe next time some more slow pace. But loving this series keep on o/
@DizzySpark 2 жыл бұрын
Weird question... was the "rogin" screen sanitized?
@stanislavsmetanin1307 2 жыл бұрын
Bravo maestro 👏👏👏👍
@Maik.iptoux 2 жыл бұрын
Minute 15: alg, alg, alg!!! Something you don't see the things in front of your eyes 👀😂
@hanpoyang 2 жыл бұрын
Why it contains the pk file path? is it so rediculous? i've been confused. :-), It is realy a excellent presentation.
@xXReVo_LuTiOnXx 2 жыл бұрын
Why does Jwt allow this behaviour ? I mean there should be some strict content Policy like "JWT" can only be checked to a domain which it is used by or something, everything else is really stupid isn't it ?
@tartas1995 2 жыл бұрын
If I understand you correctly, you are asking why the system is using a "random" source for verification. The answer is that it is kind of the point of the concept JWT. the service that is using JWT would host the "key" itself, the service could be using the good old session ids. The point of JWT is to have authentification and service seperated. The domain with the service trusts the authentification service and simply checks if the token is valid using the public key from the authentification service and the signature from the token. In this case, the service was coded to use the "jku" in the token which makes sense if you have multiple trusted authentification services (think authentification via google, facebook, ...). But the service failed to check if it trusts the jku in the first place. (My understanding could be wrong or incomplete)
@arpee1337 2 жыл бұрын
That's pretty much it. This can actually be seen as a "feature" but the server blindly trusted whatever was there
@MaZe741 2 жыл бұрын
I dont understand how the JKU can be changed to anything so easily, whats the vulnerability?
@lukegaskell8214 2 жыл бұрын
The problem is that typically that well known endpoint is just set on the server side (therefore would always verify against the correct keys). This vulnerability was allowing the user to not only provide the jwt… but also how to verify the jwt (well known endpoint in the token)
@harshkashyap8045 2 жыл бұрын
Good luck 👍
@dedkeny 2 жыл бұрын
Python4... I just stared into the eyes of the future!
@Reelix 2 жыл бұрын
By the time python4 rolls around, maybe people will have stopped using python2 - Maybe :p
@Yetzederixx 2 жыл бұрын
probably not lol
@itstoxicqt 2 жыл бұрын
Damn should of watched this earlier would of helped tons in the hactivitycon warm up stuff today lol
@MaZe741 2 жыл бұрын
whats the main takeaway? how come the jku location can be changed to anything? please talk about what the vulnerability was here - just human error?
@leduyminh48 2 жыл бұрын
because it is not supposed to be in the header for user to change, you cannot trust the header for that information. Instead, it should look up the jwks_uri through .well-known/config endpoint before using it for verifying signature
@TJCREATIVETECH 2 жыл бұрын
Super
@free_coursesforyou6861 Жыл бұрын
HIS SO SMART BRO, MAN'S JUST
@zihasz5305 2 жыл бұрын
you should install a json viewer extension for chrome :)
@ca7986 2 жыл бұрын
❤️
@lokithedark1 2 жыл бұрын
lol I saw python4 was like darn whyd I spend so long getting the hang of 3
@TJCREATIVETECH 2 жыл бұрын
Bye John👋👋Good Night!!
@serg472 2 жыл бұрын
I don't get it, what was the vulnerability? This type of authentication surely isn't supposed to fall apart essentially from just setting "user=admin" inside a cookie.
@lukegaskell8214 2 жыл бұрын
The vulnerability is that it was allowing the token to dictate how it verified the signature…. Basically… tell me who you are and tell me how to verify that. I should know how to verify without you telling me.
@Johnny-tw5pr 2 жыл бұрын
How do I find these machines on HTB?
@hyperblackhole2105 26 күн бұрын
can we still do this without the public facing website?
@karolmilewczyk8338 2 жыл бұрын
Edit the audio out when typing your passwords. People can interpolate the keystrokes from their frequency.
@patrickconrad2874 Жыл бұрын
what problems could this cause from a dev stand point? How can I prevent this? Thanks for the content.
@eternalskywalker9440 Жыл бұрын
Vett the signing key. Know where it comes from. This is a dumb exploit to be vulnerable to-very basic.
@mthariqsunur9868 2 жыл бұрын
What a browser extentsion you using?
@mithushanjalangan5132 2 жыл бұрын
Was going to comments the same! Want to know as well!
@a.k_theportal3085 2 жыл бұрын
Cookie editing one? It's called EditThisCookie
@jakecrowley6 2 жыл бұрын
You can also edit cookies directly in Chrome without any extensions by going to Dev Tools (ctrl+shift+I) -> application tab -> cookies
@shivamgoyal796 2 жыл бұрын
Which plugin you use to check the jwt token ?
@aveon9888 2 жыл бұрын
i think it is cookiemanager
@KGIV 2 жыл бұрын
@@aveon9888 That's the one.
@xpau2 Жыл бұрын
2:27 your chrome is outdated. lmao 😂 you are missing some important security updates !! I know that issue..
@villager8358 2 жыл бұрын
I just wonder: how old are you John ?
@eternalskywalker9440 Жыл бұрын
I find it hard to believe that you would find a live app that would accept a key from an arbitrary domain. Vetting the signer should be a basic task.
@JuanBotes 2 жыл бұрын
:)
@free_coursesforyou6861 Жыл бұрын
Look I know he does the whole process with us and all but sometimes it's like hold up hold up how'd we get here???
@NeXXyD 2 жыл бұрын
TOOD
@challengercybersec2155 2 жыл бұрын
Ed Sheeran is amazing at infosec stuff.
@ventsislavkirkov 2 жыл бұрын
I like listening to Seth Rogen hacking :)
@shunhasfaithfaith6693 2 жыл бұрын
do analysis of asyncRAT
@dominic_dl2114 2 жыл бұрын
We do not know how it Signet... alg: rs256 Well xD
@EiRA-hiE-x 2 жыл бұрын
Damn, I feel like I should never use jwt again lol
@claudiafischering901 2 жыл бұрын
JWT is really not secure enough for me. When John breaks so fast into - I never want to use JWT. So I still use php-session - That is more secure ; I think. ^^ Thanks for the video.
@safwanljd 2 жыл бұрын
JWT is secure when configured correctly
@mohdalif 2 жыл бұрын
Do check out JWE for additional security of JWT. My advice is to go stateless, simple & easier to scale. Storing session on the server side I guess is fine for a nonscaling web app.
@zeratax 2 жыл бұрын
this is so weird to me lmao. this jku field makes like no sense to me and seems sooo insecure i hate jwt. i guess it's like supposed to be used with a whitelist? but what's even the point?
@flaviuscondurache2688 2 жыл бұрын
Was I the only one who was screaming: use ngrok?
@grandmakisses9973 2 жыл бұрын
I was thinking it
@HAGSLAB 2 жыл бұрын
Was thinking the same 😂 John has used ngrok multiple times before, so not sure why he opted to use his prod server this time 😆 I may have done the same thing though 😝
@lifeisgameplayit 2 жыл бұрын
Arent you doing a brain surgery just now by explaining how jwk works ? ;>
John Hammond
Рет қаралды 76 М.
Israeli Tech Radar
Рет қаралды 36 М.