This is the third article in a three part series on JSON Web Tokens, that breaks down as follows: What is a JWT – JSON Web Token? This article gives you all the basics to understand how JSON Web Tokens work. Hacking JWT – JSON Web Token (part 1) This article explains how to...
Hacking a JWT – JSON Web Token (part 1)
This is the second article in a three part series on JSON Web Tokens. The first article outlined what a JWT is, what its components are and how you can read and edit its content (if you haven’t read this first article, I strongly suggest you take a moment to do it now before...
What is a JWT – JSON Web Token?
A JSON Web Token is an encoded string of characters that allows users to identify themselves when interacting with an API. Why do you need a token? Because APIs manage their connections in a different way than regular web applications do. A web app typically relies on stateful connections. This means that when a...
Extract email addresses from a large JSON file
Some requests to API endpoints may generate a very large output in JSON format. As an example, the crAPI vulnerable web app that I have been practicing with lately has an endpoint that lists the details of all recent posts in the community section of the app. These details happen to include the e-mail...
Export a Postman collection to OpenAPI 3.0
This post is a follow up to my earlier Build an OpenAPI 3.0 documentation file post. In this previous post, I showed you how you can create your own API documentation, compliant with the OpenAPI 3.0 specifications, using Firefox and mitmproxy2swagger. The point is to have a documentation file that you can then import...
Build an OpenAPI 3.0 documentation file
This post will help you if you are testing an API, you are at the recon stage and you want to generate your own OpenAPI 3.0 documentation for your target, which you can then open as a collection in Postman to start probing for vulnerabilities. Here, we are going to use Firefox’s developer tools...
Using Kiterunner with routes-large.kite
So you’ve chosen Kiterunner as your preferred tool for fuzzing APIs ? Good for you (I’ll go into more detail about Kiterunner in a later post – stay tuned). But if you are using a virtual machine to host the linux system you use for your hacking (which I very much recommend) and installed...
Make crAPI accessible on a network
Need to practice your API hacking skills? crAPI is for you. OWASP’s completely ridiculous API (crAPI) is one of several vulnerable apps you can set up as a target on your network. You’ll find installation instructions here. But there’s a catch. Once you have successfully run through the instructions, you will have a functioning...
What is directory traversal?
Some web applications give you access to directories containing files you are allowed to display or download. Imagine a web app that lets users share images of their custom skateboards or bikes. Images uploaded by the site’s users could be all stored in a given directory. If you click on one of these images,...
What is a file inclusion – LFI – RFI
In some situations, a web application will allow a user to access a file stored on the server (such as a text file or a PDF document) and display or render its content to the web page viewed by the user. Imagine a web site that lets users upload their resume and allows hiring...