Sign in

Photo by Bram Naus on Unsplash

In Part1 we discussed the Key Confusion Attack. In this post we will use a vulnerable JWT application by Sjoerd Langkemper to demonstrate the attack.

Install the JSON Web Token Attacker (JOSEPH) extension from the Burp Suite store (Extender Tab in Burp Suite) and head over to the blog. Click on this RS256 demo page to go to the lab.


Photo by Bram Naus on Unsplash

This post deals with the theory of Key Confusion Attack. Part2 deals with solving the JWT Lab by Sjoerd Langkemper to demonstrate the Key Confusion Attack.

JWT stands for JSON Web Token. After successful user authentication, the server sends a JWT in the response which can be used to make API calls or to access protected resources. It is typically used in the request header like

Authorization: Bearer JWT

A JWT looks like this and may not make any sense to bare eyes. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.Yrp55yopmWPtFlRNYKPAXTNgvEPGI7cuDgrBcVBZXzQ

It consists of 3 parts (base64 encoded) separated by dots.
1. Header
2. Payload
3. Signature


Photo by Arget on Unsplash

I came across a web application that uses NTLMv2 for authentication. I logged in to the application (provided my credentials for the first time) and opened Chrome developer tool (F12) to check the requests. There was no session cookie or authorization header (Authorization: Negotiate or Authorization: Bearer) in the request. There was no other session-related information to prove that the user was logged in. I was surprised to see that the server still responded with content available only to authenticated users. I wondered how did the server know that I was logged in without any session-related data in the request.


Photo by Safar Safarov on Unsplash

We all use shortcuts to make things convenient and fast. I’ve been using them in different code editors like Eclipse and PyCharm. There are tons of shortcuts to choose from and it’s difficult to remember all of them. I have compiled a list of PyCharm shortcuts that we use frequently. I have carefully chosen only those shortcuts that we use every minute.

Few of the shortcuts are in-built and few of them are user-defined. In user defined shortcuts I have mostly used ‘alt’ key. I felt ‘alt’ key is rarely used in inbuilt shortcuts and it will make for a…


Photo by Florian Olivo on Unsplash

In part_1 of this series we talked about how the generic payload — <script> alert(‘XSS’) </script> to test XSS; doesn’t execute in different contexts like HTML attribute, hidden variable, Javascript etc. In this post, we take a look at different payloads that we can use to effectively conclude presence of XSS.

Let us look at various payloads that we should use in different context.

1. Context — body

Payload — <script>alert(‘xss’)</script>


Photo by Michał Parzuchowski on Unsplash

AngularJS is a popular JavaScript-based open-source front-end web framework mainly maintained by Google and by a community of individuals. If you have tested web apps, which use Angular JS as front-end framework you might agree that it is a little more difficult to find XSS vulnerability. The reason being before rendering the content Angular does output encoding. This renders the payload useless and nothing more than a piece of plain text. With that said it does not mean that Angular apps are completely safe from XSS attacks. You can still find XSS through client side template injection. …


Photo by Florian Olivo on Unsplash

Cross Site Scripting or XSS as it is popularly known, is one of the common vulnerabilities found in web applications. It has firmly retained its spot in the OWASP Top 10 Application Security Risks — 2017. In this post, we discuss about how to test Cross Site Scripting (XSS) vulnerability in web apps. If you want to understand what XSS is, I recommend reading it here.

Typically when we encounter an input field in web page, we go straightaway and insert the most loved XSS payload <script>alert(‘XSS’)</script> to see if we get an alert box like this.

Navneet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store