Scribd
Upload
67 views

Web Service Attacks: Personal Property of Keith Samborski

Uploaded by

Terza
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
67 views

Web Service Attacks: Personal Property of Keith Samborski

Uploaded by

Terza
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

m ki

y. c o mb o r s
em eith S a
Exopderty ofahKoo.com
al p r 6 9 @y
Web Service Attacks
Pers
on l_m y

JSON Web Token

Copyright © Exdemy.com
JSON Web Token
● Solve level 2 of JWT challenge of wishtak websheep
m ki

m y. c o
If you don’t installed it locally, try the online lab S amb o r s
d e Keit
Exoperty ofahoo.com
h

al p r 6 9 @y
on l_m y
Pers

Copyright © Exdemy.com
JSON Web Token - Solution

m
As mentioned in the lesson hint, we must try fuzzing the application ki and the
m y. c o
only place we can supply our inputs is in the LoginhForm S amb
o r s

● Ex
Try logging in with both valid and invalid d e o f K eit
tycredentials,
e r o o .comcan you see some kind
p p
ro 69@ya h
of flaw/pattern?
o n al my
Pe r s l _
● Notice the JWT_HMAC_SECRET in error details when you enter invalid
credentials
○ Using this secret key you can sign any JWT token for any user you want (you can also find out
the token structure using given credentials (foobar:123456))

Copyright © Exdemy.com
JSON Web Token - Solution - Contd.
● You can find the solution written in Javascript here:
m ki

m y .
http://lab.awh.exdemy.com/websheep/jwt/v2/solution c o S amb o r s
d e
Exoperty ofahoo.com K eith

al p r 6 9 @y
on l_m y
Pers

Copyright © Exdemy.com
m ki
y. c o mb o r s
em eith S a
Exopderty ofahKoo.com
al p r 6 9 @y
on l_m y
Pers

Copyright © Exdemy.com

You might also like