Hello Sir thank you so much for your informative video, you're an inspiration for anyone who wants to be like you. I love your videos so much, you have varieties, good explaintions, and no doubt you're great at what you do😇 Thanks a lot again. 🙏
Mr loi ,I installed an app which I think is from a hacker and im pretty sure that he was trying meta exploit ,anyways I deleted the app, am I safe ? Should I be concerned ?
It is amazing that there are educational tools like bogus webpage and video to teach or train newcomers in the concept of hacking unlike before. Over the decades, technology and techniques have evolved so much that it feels daunting for newcomers for survive the steep learning curve. Though some techniques may not work in current state, these tools help to smoothen the learning curve and hopefully, will attract more new blood to the field of cyber security.
@@lucifermorningstar1082 Like I have said, it may not work in current world but new knowledge is built on top of old ones. Knowing old concept merely serves as a stepping stone to develop other techniques. Just like how the earliest form of blockchain started in 1991 as Surety timestamping solution and improved upon by others. Eventually, the technology can be combined with other techniques to create a system to fit a wide range of applications.
After reading Only the " Thumbnail " the Title, and the 1st., 6 seconds / I have to say; " Thank you " ! I get to do That Every time I go to the Grocery Store or Look into Any Catalog !
This is great and all but most secure applications will not use the alg header to determine what algorithm to check the signature with, and they will check the signature with a predefined algorithm rejecting any claims in the JWT if the signature doesn't match the content of the token. So this would work on apps developed and not updated before 2015 I think.
No, the problem is trusting the JWT with whichever algorithm it provides. There should be a list of allowed algorithm, and the backend should only accept those JWTs whose algorithm is one of the valid ones
This is also something that applies to old JWT libraries that haven't patched the fact that anyone can dump the alg as none out which some lazier web applications might not have done and these applications are most likely still vulnerable to this attack.
If you validate the token it wont work. These tokens are not there to ensure the data is right, but they are there to ensure that the data is valud by providing the data, key and a token. The server computes the token from the data and compares it to the token sent with the jwt. If you dont validate this in your application, you can use any data
Not sure what you were doing here, you changed the JWT, how could it pass the server JWT verification? The server will use key and salt to decode the token, if you not put signature, it won’t pass
Sir i hope you to answer 🙏 to my question please "i have my WIN OS run i run a VPN on it and i launch WHONIX in a VM now which IP will be the exit point 👉 the TOR ip or the VPN ?" thank you.
I don't like this approach using the Burp suite. You teach people how to use Burp, but they don't understand what's behind this, how and why it works. I would prefer if you teach it in vanilla style, i.e. no fancy tools or frameworks, so people understand what is really going on. Of course, it takes more time to understand then.
but then you won't be caught, and this is not a real shaking tutorial, but it's completely the step by step for beginners, he also didn't want to mention VPN or proxy chains.
@@VuNguyen-ni4ex a hacker can always hope someone forgot to validate. It is a common enough mistake that implementations take care to remind people to validate the algorithm.
@@VuNguyen-ni4ex depends on which ecosystem you are talking about. The jwt library in Golang for example allow you to not verify the algorithm. Note that there is still a use case for not checking the signature if the parties in communication have mutual trust.
if your backend accepts jwt tokens with no algorithm assigned to it then you need to just delete your entire project cause youse definitely already got a backdoor installed on your servers.
I didn't get please sir can u make another video on this topic please sir I didn't understood. I am just 16 years sir I begggg yo please make how did you do this. Ethical hacking is my passion
I prefer bare metal for actual testing. Virtual is great for learning and those without access to another machine, but the bare metal has more inherent abilities since it isn't working on virtualized resources. A good option is a raspberry pi4 with a Kali ARM distro. You can set up actual RDP and remote to it from a windows machine (not vnc - but rdp). Then you get the full bare metal experience for about 100.00
Sir please tell me............can anyone do it and please tell me.........how do you get web token........I tried many times but I couldn't get a web token from more tools>>developer tools>>memory.can you give me a answer
The server configuration you have isn’t allowing you to just set the signing algorithm to what ever you want, this guy is making up scenarios that would never exist in the real world.
By setting the algorithm to "none", the hash function used to sign the JWT on the backend returned an empty string (or null). That's why he just had a . at the end of the JWT, the signature is just missing
Mr loi ,I installed an app which I think is from a hacker and im pretty sure that he was trying meta exploit ,anyways I deleted the app, am I safe ? Should I be concerned ?
Tom and Jerry
Great 👍🏻
Hi
HELLO!
Hello Sir thank you so much for your informative video, you're an inspiration for anyone who wants to be like you. I love your videos so much, you have varieties, good explaintions, and no doubt you're great at what you do😇 Thanks a lot again. 🙏
Mr loi ,I installed an app which I think is from a hacker and im pretty sure that he was trying meta exploit ,anyways I deleted the app, am I safe ? Should I be concerned ?
It is amazing that there are educational tools like bogus webpage and video to teach or train newcomers in the concept of hacking unlike before. Over the decades, technology and techniques have evolved so much that it feels daunting for newcomers for survive the steep learning curve. Though some techniques may not work in current state, these tools help to smoothen the learning curve and hopefully, will attract more new blood to the field of cyber security.
its like paper trading the stock market useless in the real world
@@lucifermorningstar1082 Like I have said, it may not work in current world but new knowledge is built on top of old ones. Knowing old concept merely serves as a stepping stone to develop other techniques. Just like how the earliest form of blockchain started in 1991 as Surety timestamping solution and improved upon by others. Eventually, the technology can be combined with other techniques to create a system to fit a wide range of applications.
@@lucifermorningstar1082 Its only for demonstration
After reading Only the " Thumbnail " the Title, and the 1st., 6 seconds / I have to say; " Thank you " ! I get to do That Every time I go to the Grocery Store or Look into Any Catalog !
This is great and all but most secure applications will not use the alg header to determine what algorithm to check the signature with, and they will check the signature with a predefined algorithm rejecting any claims in the JWT if the signature doesn't match the content of the token. So this would work on apps developed and not updated before 2015 I think.
I'm guessing this works on applications that don't actually validate the token.
Hence not a “hack” but exploiting what should be painfully obvious.
No, the problem is trusting the JWT with whichever algorithm it provides. There should be a list of allowed algorithm, and the backend should only accept those JWTs whose algorithm is one of the valid ones
@@mind.journey I think we are saying the same thing
@@sailorm79 you're right! I interpreted your message differently but yeah, essentially they're not validating the token by trusting whatever is says
This is also something that applies to old JWT libraries that haven't patched the fact that anyone can dump the alg as none out which some lazier web applications might not have done and these applications are most likely still vulnerable to this attack.
Thanks and You Helped learn how to program websites more securely
Great video! Short, sweet, to the point, and loaded with great practical information!!
Wow! Thank you so much! With this simple hack, I managed to get a Free PS5 and a Free RTX 3090
LMFAOOOOO
Which OS do you use? I am new to this channel. Can you tell me about it?
@@omaanshkaushal3522 kali Linux
And I got 69 bitcoin 😁😂
@@mayankbansal8339 wow
Now i can order my dream pc 👀
Yooo, did you do it? 😂
come back let us know brobro im literally on kali linux trinaa see if it real jaja
and go with it to jail
FBI OPEN UP😂
gonna get 2 pairs of ipad pro, imac, earpods, zara, 1gbps annual pack, 1 bitcoin{at least}
guys, i just wanna tell you that Dreams come true!
@Peter Greyben lol
🤣🤣🤣🤣🤣
Did your products came home?
This was incredibly interesting to watch, thank you!
watching your vids with my new iphone,you are the best
If you validate the token it wont work. These tokens are not there to ensure the data is right, but they are there to ensure that the data is valud by providing the data, key and a token. The server computes the token from the data and compares it to the token sent with the jwt. If you dont validate this in your application, you can use any data
I learned tons about the JWT token in this concise video that I didn't know before! Thanks for the hard work; Keep it up!!
Not sure what you were doing here, you changed the JWT, how could it pass the server JWT verification? The server will use key and salt to decode the token, if you not put signature, it won’t pass
@@K3dev My boss told me to drop a date with a salt code the payload. Then check it on the server. (e.g.
Thanks for educating Community. waiting for more ..
love and support from India
Excellent tutorial, but it won't work on present day website at least most of them. Could work on a few
His tutorial is outdated! Besides cyber security expert are not a fool
Who would just sit there and be like;
C,Mon boy u can do it
@@justa1guy5 can you explain more please
Could you help me work out how to do it with amazon?
@@georgiabrooks5631 do a search online you will find it. It is still same process
Love from Ethiopia 🇪🇹
I love ur tutorial...
How can I learn about hacking from ur courses? tell me pls..
Hello, Awesome Video. Please make another one about sessionids
please make more videos and guide us more about check out or payment methods
Really nice video
Thanks a Ton for Giving Such a Great Content for Us.
Thank a Tom!
I like this video, Thank you.
In near future I will buy your course.
Mr. Loi Liang Yang.
Which programming languages did you use to hack?
Love your videos
Sir i hope you to answer 🙏 to my question please "i have my WIN OS run i run a VPN on it and i launch WHONIX in a VM now which IP will be the exit point 👉 the TOR ip or the VPN ?" thank you.
sir can you make video about webgoat how to use full tutorial plz
If the JWT is generate with private key and public key, that is vulnerable?
WARNING!
00:16 - LEGO
00:19 - WARNING!
What's your monitor??
Wow great video
but sir what about price who will pay for me and how i didnt get it can you tell somting about peramitor tempring
You forgot to add "from a pro hacker" to the end of title.
8 minutes ill never get back
Iam ur big fan bro
Op knowledge bro 🖤
I really appreciate and like your videos, but why do you always add keyboard and mouse sounds? Is it an insider I dont know or just for fun?
I don't like this approach using the Burp suite. You teach people how to use Burp, but they don't understand what's behind this, how and why it works. I would prefer if you teach it in vanilla style, i.e. no fancy tools or frameworks, so people understand what is really going on. Of course, it takes more time to understand then.
but then you won't be caught, and this is not a real shaking tutorial, but it's completely the step by step for beginners, he also didn't want to mention VPN or proxy chains.
This works if the server doesn't validate the algorithm.
which is dumb and defeats the purpose of a JWT altogether
Honestly I don't think this will works anywhere
@@VuNguyen-ni4ex a hacker can always hope someone forgot to validate. It is a common enough mistake that implementations take care to remind people to validate the algorithm.
@@kphamcao I think people now are using libraries that supports JWT really well, so yea that's really rare
@@VuNguyen-ni4ex depends on which ecosystem you are talking about. The jwt library in Golang for example allow you to not verify the algorithm. Note that there is still a use case for not checking the signature if the parties in communication have mutual trust.
Does this work for taxes
if your backend accepts jwt tokens with no algorithm assigned to it then you need to just delete your entire project cause youse definitely already got a backdoor installed on your servers.
You are amazing
I didn't get please sir can u make another video on this topic please sir I didn't understood. I am just 16 years sir I begggg yo please make how did you do this. Ethical hacking is my passion
do you prefer to install kali linux on bare metal or virtual machine?
i would prefer bare metal and just dual boot.
I prefer bare metal for actual testing. Virtual is great for learning and those without access to another machine, but the bare metal has more inherent abilities since it isn't working on virtualized resources.
A good option is a raspberry pi4 with a Kali ARM distro. You can set up actual RDP and remote to it from a windows machine (not vnc - but rdp). Then you get the full bare metal experience for about 100.00
Omg thank u for demo.
Grats on the 420k
big fan sir
Which OS do you use? I am new to this channel. Can you suggest me something?
kali linux, and becarful don't miss around if you're new, take your time
Can you pls give the list of names of books that are lying on your table at 0:19?
Thanks Master...
First here…. Love his tuts so much 🤩
Mantap bro you are really hacker
I saw your video off of a random youtube algorithm. I'm trying to get into InfoSec, where would be a good start? Also just subscribed
Nice one
U r great
your gullable
Plz do the same steps for sessid not json
Hi sir
How did you become aware of “Tom” the other user to insert into payload
me not understanding anything
"Checkout ANY products" is a bit of a misleading title, since all you'd need to stop this is to write good code and protect it with keys?
Please how can I learn social engineering?? 🙏🙏🙏🙏
I just want to be like you
Bro please make videoon crypto orr blockchains likes that like hacking or etc
The great video
is it possible to bypass text captcha with such methods?
Sir please tell me............can anyone do it and please tell me.........how do you get web token........I tried many times but I couldn't get a web token from more tools>>developer tools>>memory.can you give me a answer
Thanks loi ❤️
is that for carding?
Lol i love how these video start out only do this in your own environment. If you dont know that maybe cybersecurity isnt for you.
Everybody knows that, it's just there as a precaution to be able to deny liability
Sir trying to do but proxy extension is not work please sir direct me thank you 🙏
No Proxy listener is currently running is not there, i cant see it, can anyone help me?
when will you be live?
Its a conceptual vulnerability. Theres nothing like this in the wild and if it is its getting patched.
invalid Access Token: signing method (alg) is unavailable. (Give a solution on it)
did you spell the "alg": "None" part correctly?
yes, i did
The server configuration you have isn’t allowing you to just set the signing algorithm to what ever you want, this guy is making up scenarios that would never exist in the real world.
Dude your the man
Is that actually work, if i tried to do that on discord?! (To be the owner)
I don't get it, what about the secret code? Is it useless to use it then? Or that application did not use a 256-bit-secret?
By setting the algorithm to "none", the hash function used to sign the JWT on the backend returned an empty string (or null). That's why he just had a . at the end of the JWT, the signature is just missing
Nice!
If you do this and get caught you're going to jail, and it's likely not going to work many places. But hey, what do I know
In the last when it was written that you have successfully completed the assignment. Does it means that you have ordered that with others ID???
yes
@@mandar3813 the order will come in our address 😂😂
@@shivachauhan007 hopefully it will 😂😂😂
@@shivachauhan007 if you receive the product, let me know too.
Works on Amazon page?
Nice =D
Thank you :)
Maybe useful for carding
this is cute but totally unrealistic, in real life token consists of a password as well.
What the meaning of json web
Thanks for my new iphone 13 pro max 🙏
Its really worked🙄
@@honsol1120 I know that bro , just kidding 😂
@@veee330 😂
Hikaro
Sir can u tell me plz how to access the web goat
i need your help with somthing ?
Mr loi ,I installed an app which I think is from a hacker and im pretty sure that he was trying meta exploit ,anyways I deleted the app, am I safe ? Should I be concerned ?
@joe biden fan 12 yes,sir I did ,
would that be anykind of threat to me ?
@@alangeorge4923 you have to delete its all files from any archiver you got.
If you do this on your own pace, how fast can you achieve this? because doing it at this pace it looks utterly slow and long to do so XD
I will make u pay 😂😂 jk mate u doing great
Lol 😂😂 but it wont work on present websites... Because devlopers are our grandfathers in these
lmao, that's step just for junior dev
Hello
well, if someone created a service and/or environment allowing 'None' as the JWT algorithm they are idiots.
Or even worse if they don't check for algorithm at all. I know of someone who did such a mistake and refuse to take responsibility
Sir I need your help
Sir I couldn't activate my account in a website. Please help me to activate this account so that I can get paid my salary
same video again?