More JWT work
This commit is contained in:
Nanne Baars
@ -13,3 +13,13 @@ jwt-change-token-hint5=Submit the token by changing the algorithm to None and re
|
||||
jwt-secret-hint1=Save the token and try to verify the token locally
|
||||
jwt-secret-hint2=Download a word list dictionary (https://github.com/first20hours/google-10000-english)
|
||||
jwt-secret-hint3=Write a small program or use HashCat for brute forcing the token according the word list
|
||||
|
||||
jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
|
||||
jwt-final-not-tom=Username is not Tom try to pass a token for Tom
|
||||
|
||||
jwt-final-hint1=Take a look at the token and specifically and the header
|
||||
jwt-final-hint2=The 'kid' (key ID) header parameter is a hint indicating which key was used to secure the JWS
|
||||
jwt-final-hint3=The key can be located on the filesystem in memory or even reside in the database
|
||||
jwt-final-hint4=The key is stored in the database and loaded while verifying a token
|
||||
jwt-final-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token.
|
||||
jwt-final-hint6=Use: key1' union all select 'abcdefg' limit 1,1 -- And change the contents of the token to Tom and hit the endpoint with the new token
|
||||
Reference in New Issue
Block a user