Web services testing *

Seven tasks for test, one for deploy

Articles Posts News Authors

Okhomiak Apr 29 2019 at 22:46

Hack the JWT Token

4 min

62K

Information Security*Website development*Web services testing*

For Educational Purposes Only! Intended for ~~Hackers~~ Penetration testers.

Co-authored with MariA Karpliuk !

Issue

The algorithm HS256 uses the secret key to sign and verify each message. The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.

If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. Asymmetric Cipher Algorithm => Symmetric Cipher Algorithm.

Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
The backend code uses the RSA public key + HS256 algorithm for signature verification.

Example

Vulnerability appear when client side validation looks like this:

const decoded = jwt.verify(
   token,
   publickRSAKey,
   { algorithms: ['HS256'  , 'RS256'] }          //accepted both algorithms 
)

Lets assume we have initial token like presented below and " => " will explain modification that attacker can make:

//header 
{
alg: 'RS256'                         =>  'HS256'
}
//payload
{
sub: '123',
name: 'Ivan Prychantovskyi',
admin: 'false'                       => 'true'
}

The backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.

Okhomiak Apr 23 2019 at 16:51

The most common OAuth 2.0 Hacks

6 min

41K

Information Security*Website development*Web services testing*

OAuth 2 overview

This article assumes that readers are familiar with OAuth 2. However, below a brief description of it is presented below.

The application requests authorization to access service resources from the user. The application needs to provide the client ID, client secret, redirect URI and the required scopes.
If the user authorizes the request, the application receives an authorization grant
The application requests an access token from the authorization server by presenting authentication of its own identity, and the authorization grant
If the application identity is authenticated and the authorization grant is valid, the authorization server issues the access and refresh (if required) token to the application. Authorization is complete.
The application requests the resource from the resource server and presents the access token for authentication
If the access token is valid, the resource server serves the resource to the application

The are some main Pros and Cons in OAuth 2.0

OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)
Wide spread and continuing growing
Short lived Tokens
Encapsulated Tokens

— No signature (relies solely on SSL/TLS ), Bearer Tokens
— No built-in security
— Can be dangerous if used from not experienced people
— Too many compromises. Working group did not make clear decisions
— Mobile integration (web views)
— Oauth 2.0 spec is not a protocol, it is rather a framework — RFC 6749

+16

sashalisik Feb 14 2019 at 11:33

Front End and Back End Debugging

6 min

9.3K

JavaScript*Programming*Google ChromeAngular*Web services testing*

Tutorial

Original article — "How to debug javascript in Chrome quick and easy ".

Overview

In this article, you will learn how to debug JavaScript code on front end and back end using Chrome DevTools and VS Code.

+16