![]() ![]() One way to do this is to use a tool such as John the Ripper or Hashcat in the same way you would to crack password hashes acquired during a network test. ![]() Unless you are really lucky and manage to get Local File Inclusion (LFI), or somehow get shell on the web server, your only real option on most tests is to try to brute force the key. If you can get that key in some way, either by stealing it from the server, guessing it, or brute forcing it, then you are able to sign your own tokens, which, in most cases, means you can make whatever modifications you want to the payload and the claims it contains. When the signature is generated using a HMAC, the function generating the signature requires a secret key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |