Skip to main content

BAD JWT

 Have you ever seen a JWT token that reveals way more than it should?


In offensive security, we always inspect JWTs for:

  • Weak or guessable signing keys (e.g., "secret")

  • Use of none algorithm

  • Missing or improperly enforced exp claims

  • Sensitive data in payload (passwords, tokens)

JWTs are NOT encrypted by default. Don’t store secrets inside them before encrypting sensitive data.

You may not believe but this is extremely common in JWT tokens, especially by junior developers because they think tokens are safe and unreadable so they just put all relevant info inside, because this is an “EASY WAY” of coding...

  • Password inside JWT?!

    • Never store passwords (even hashed) in a JWT payload. JWTs are just base64-encoded—not encrypted! We can break hashed passwords too. We can also break some encryption algorithms like MD5, so you should choose a good algorithm for encryption.

  • Credit Card Info in Payload?

    • Huge PCI-DSS violation and security risk. This data could be exposed in logs, browser storage, or intercepted.

  • Long expiration (exp)

    • A token that lives forever is a token that can be stolen and reused forever.

  • Weak Signature Key

    • A predictable or short secret (use a better signing key) can be brute-forced, allowing attackers to forge tokens.

Here’s a nice website you can use to decode JWT tokens: https://jwtauditor.com/

Labels:

Comments

Post a Comment

Popular posts from this blog

Beyond the Pentest: Why I Do What I Do

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...
Post a Comment
Read more

VIP Ticket to Ruin your Life | Golden Ticket Attack

Have you ever heard of a ticket so powerful it gives you access to an entire Active Directory environment? That’s exactly what a  Golden Ticket  does. An attacker can create a Ticket Granting Ticket (TGT) using the KRBTGT account hash. This allows an attacker to impersonate  any user , access  any resource , and remain  undetected for as long as they want . Golden Ticket attacks are difficult to detect and devastating when successful. The  core vulnerability  that enables a Golden Ticket attack lies in the  design of Kerberos authentication in Active Directory , specifically how  Ticket Granting Tickets (TGTs)  are  trusted  and  validated . The Root Cause: The entire Kerberos trust model in AD depends on the secrecy of the KRBTGT account’s password hash. What Does That Mean? The KRBTGT account is a special built-in account in Active Directory. It is used by the Key Distribution Center (KDC) to sign and encrypt TGTs. A...
Post a Comment
Read more

Data Poisoning: A Technical Deep Dive into AI's Most Insidious Threat

Artificial Intelligence and Machine Learning (AI/ML) models are rapidly becoming the bedrock of modern business operations, I had opportunity to do security assignments with AI features in different companies and I I also made lots of research and investigation, and chance to do tinkering on computer and ML models, to find more and more ways to hack these models. The whole AI thing is actually simply relying on DATA. The way it works with data is heavily relying on mathematical concepts where Prediction, Probability, discrete math, calculus, etc. But we don’t need any of these. What we want is DATA. Before hacking anything, you should first learn how it works. AI models reliance on DATA for it’s core functionality makes it vulnerable to a subtle, and devastating attack vector: data poisoning . There are other attack vectors as well, but I want to focus on DATA POISONING Technique in this text, since it’s one of the biggest attack vectors and it’s also the most difficult to secure compl...
Post a Comment
Read more