How To HACK JWTs for a REST API - API Hacking 101
Hey there! 👋 Ready to dive into the world of JWT hacking for REST APIs? This video walks you through a real-world example, step by step, showing how to find, decode, and manipulate JWTs to gain unauthorized access and even execute code on a server. Let's break down the process in detail, following the video's flow and highlighting all the key learnings and memorable quotes along the way!
1. Getting Started: Exploring the API Code
The video kicks off with the creator mentioning some off-screen work:
"I went on and did a little bit of things off screen, not very much, I just fetched the next file in line which was this api tabs file."
- Key Point: The focus is on a file that handles authentication, specifically functions like
get_current_userandparse_token. - Emphasis: These functions use a secret key:
"In all of those they are using something called settings.jwt_secret."
2. Hunting for the JWT Secret
The next step is to find the secret used to sign JWTs:
"Now we need to find out where the settings are coming from... it's this settings in core config."
- The creator looks for the file:
"If we look in app/core/config/settings.py, we should be able to find the secret in there."
- After some trial and error:
"Maybe there is just this settings.py and it gives us back the classes in there... and we get something in the settings.py. Now that's amazing!"
3. Extracting the API Key
- The secret is stored as an environment variable:
"We have the jwt_secret which is the API key of the os.environ."
- The creator recalls a previous episode:
"If you remember back the last episode we had this proc self and wiring over here... in here we have the API key."
- Action: The API key is saved for later use:
"Now we have the API key saved. Perfect!"
4. Generating a JWT
With the secret in hand, it's time to craft a JWT:
"All we need to do now is generate our JWT. Let me do a quick Google search on how to do that."
- The creator decides to use Python:
"We can use Python and we can use a library... seeing that we are hacking a Python API, why not use Python to hack it? It's just the irony that I like."
5. Decoding the JWT
-
The JWT is imported and saved:
"Let's import jwt and then save our JWT that we have here after this bearer part."
-
The algorithm is checked:
"Let's maybe check with jwt.io again... and we can see the algorithm is HS256."
-
The decoding process:
"Let's do a quick test and just run this command as we've seen it in the guide... and then we get the exact same thing, we get this access token."
-
Superuser Access:
"The one that's important is this: 'superuser: true'."
6. Modifying the JWT Payload
- The creator tries to add a debug flag:
"Let's set this to true. So we now set this."
- The process is reversed:
"Now we need to do the inverse of what we did before. So we first decoded it, now we changed it, and the last part is to re-encode it."
- The JWT is re-encoded:
"We get a new token which now has the debug flag in it."
7. Using the Hacked JWT
- The new token is added to the API docs:
"Let's add this bearer token in here... and now we should refresh the docs."
- The creator tests writing to the file system:
"Let's just write something in the temp directory because everybody should have access to the temp directory... let's write in here 'hello world'."
- Success!
"We can now write on the file system."
8. Trying to Serve Files via the Web Root
-
The creator attempts to create an
index.html:"Let's create a new index.html... and we got an unknown error. I have no idea why, hence the term unknown."
-
They consider overwriting the main Python file:
"The easiest way would be if we overwrite the main.py and then somehow could reload it. I have no idea how to do that, so let's not go with that way for now."
-
They look for the web root:
"Maybe it's the home... and we have an index.html... and it's a success."
-
But:
"If we do, we get the index.html not found. So apparently this isn't the web root."
9. Planning a Reverse Shell
- The creator explains their goal:
"What I'm actually trying to do is to create a reverse shell using this upload technique that we now have at our disposal."
- They note the challenge:
"I'm just unsure how to trigger the file... apparently we can't just do that because I just uploaded the index.html and we can't find it."
- They consider modifying endpoint files:
"Maybe if we just change one of the other files it will lazy load it somehow... if we can smuggle in a reverse shell into this Python script I think we're good to go."
10. Wrapping Up
The video ends with a friendly sign-off:
"Thank you for watching, make sure to subscribe and hit the like button, and if you want to learn more about hacking check out my Patreon channel over here. Bye bye!"
Key Takeaways & Learnings
- JWTs are often signed with a secret stored in code or environment variables.
- If you can find the secret, you can forge your own tokens and escalate privileges.
- Decoding and re-encoding JWTs is straightforward with the right tools (like Python's
jwtlibrary). - With a valid token, you can access protected endpoints and potentially write files or execute code.
- Web roots and file serving can be tricky—just uploading a file doesn't guarantee it's accessible via the web.
- Persistence and creativity are key in hacking—when one method fails, try another!
Memorable Quotes Recap
- "In all of those they are using something called settings.jwt_secret."
- "Now we have the API key saved. Perfect!"
- "Why not use Python to hack it? It's just the irony that I like."
- "The one that's important is this: 'superuser: true'."
- "We can now write on the file system."
- "What I'm actually trying to do is to create a reverse shell using this upload technique that we now have at our disposal."
- "Thank you for watching, make sure to subscribe and hit the like button..."
Hope this breakdown helps you understand how JWT hacking works in practice! 🚀 If you want to learn more, don't forget to check out the creator's other content. Happy hacking! 🐱💻
Need a summary like this?
Get instant summaries with Harvest