Learn How to Hack JWT Token | Multiple way to exploit JWT Token

100K $ bug #JWTtoken #pentestingJWT #AppleBounty POC Link : https://bit.ly/3gcbkrL JWT TOKEN (JSON WEB TOKENS) 2:00 JWT token identification 5:00 Ways to Attck JWT token 9:00 Bounty 100k$ issue analysis JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Ways to attack 1.appilcation doesn't verify the signature 2.NONE algorithm 3.Changing the Algorithm from RS256 to HS256 4.Cracking the hs256 JWT brute tool ----------------------- https://tinyurl.com/2u3zewem Authorization: Bearer token KID SQL injection, Directory Traversal “kid”: "aaaaaaa' UNION SELECT 'key';--" “kid”: “../../public/css/main.css” xxx.yyy.zzz Example JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Reference : https://www.slideshare.net/OWASP_Poland/opd-2019-attacking-jwt-tokens https://jwt.io/introduction/ https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a DISCLAIMER: This Channel Does NOT Promote or encourage Any illegal activities, all contents provided by This Channel is meant for EDUCATIONAL PURPOSE only. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational, or personal use tips the balance in favor of fair use.