Skip to main content

BAD JWT

 Have you ever seen a JWT token that reveals way more than it should?


In offensive security, we always inspect JWTs for:

  • Weak or guessable signing keys (e.g., "secret")

  • Use of none algorithm

  • Missing or improperly enforced exp claims

  • Sensitive data in payload (passwords, tokens)

JWTs are NOT encrypted by default. Don’t store secrets inside them before encrypting sensitive data.

You may not believe but this is extremely common in JWT tokens, especially by junior developers because they think tokens are safe and unreadable so they just put all relevant info inside, because this is an “EASY WAY” of coding...

  • Password inside JWT?!

    • Never store passwords (even hashed) in a JWT payload. JWTs are just base64-encoded—not encrypted! We can break hashed passwords too. We can also break some encryption algorithms like MD5, so you should choose a good algorithm for encryption.

  • Credit Card Info in Payload?

    • Huge PCI-DSS violation and security risk. This data could be exposed in logs, browser storage, or intercepted.

  • Long expiration (exp)

    • A token that lives forever is a token that can be stolen and reused forever.

  • Weak Signature Key

    • A predictable or short secret (use a better signing key) can be brute-forced, allowing attackers to forge tokens.

Here’s a nice website you can use to decode JWT tokens: https://jwtauditor.com/

Labels:

Comments

Post a Comment

Popular posts from this blog

Beyond the Pentest: Why We Do What We Do

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...
Post a Comment
Read more

Entering Password Protected Windows Computer without the Password

 If you have a windows laptop and you don’t know the password for some reason (!) (Maybe it’s not yours ?) and want to login without entering the password, here’s a simple way to hack it without being too technical. You just need to bypass the password protection. I didn’t try this method on other windows versions, you can give it a try but for windows 10 and windows 11 it works perfectly fine. (You need an empty physical pen drive to bypass) Step 1: Download Hiren Boot ISO file: https://www.hirensbootcd.org/ Step 2: Mount the iso file to your USB (You will lose all of the data) You can use RUFUS to do this. I will skip this step. Step 3: Start the windows computer you want to bypass the password, and open the BIOS menu. Depends on the manufacturer the BIOS menu can be opened with F12, ESC or Delete buttons from the keyboard during system boot. Step 4: Select the USB from BIOS menu to boot. Step 5: It will open live os, similar to a windows environment but it’s not… We will use ...
Post a Comment
Read more

Dark Web Leaks: Exploit Production Company

 I have to tell you about the latest "copy-paste" disaster in cybercrime history. This is pure gold. Microsoft recently took down a massive cyber-fraud ring called "RedVDS." These guys were basically running an "all-inclusive" rental shop for cyber criminals. You just drop some crypto, and they hand you an unrestricted Windows virtual server like, "Here you go, buddy, go scam whoever you want." They used these servers to hijack corporate emails (BEC) and run massive phishing campaigns. We’re talking about $40 million stolen in the U.S. alone! But here’s the kicker: How did this massive network get busted? (Pay attention here). The guy who built the system set up an automated virtualization infrastructure (QEMU) to spin up thousands of servers instantly. Everything looked super professional up to that point. But then, peak laziness kicked in. Think of it like this: you build a high tech printing press to make thousands of fake passports, but you...
Post a Comment
Read more