黑客如何渗透JSON Web Token？通过劫持Token修改密码？

作者：FancyPig | 发布时间：2022-10-24 19:37:30 | 更新时间：2023-02-05 16:59:08

相关阅读

data-postsbox="{"id":24624,"title":"【视频教程】道德黑客零基础入门教程","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/10/20221013063638658.png","cover_video":"","views":4034,"comment_count":12,"category":"knowledge","is_forum_post":false}">{"id":24624,"title":"【视频教程】道德黑客零基础入门教程","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/10/20221013063638658.png","cover_video":"","views":4034,"comment_count":12,"category":"knowledge","is_forum_post":false}

data-postsbox="{"id":25119,"title":"【漏洞赏金渗透课程】Api接口渗透测试、Fuzz技巧分享","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/10/20221022045345855.png","cover_video":"","views":4194,"comment_count":6,"category":"knowledge","is_forum_post":false}">{"id":25119,"title":"【漏洞赏金渗透课程】Api接口渗透测试、Fuzz技巧分享","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/10/20221022045345855.png","cover_video":"","views":4194,"comment_count":6,"category":"knowledge","is_forum_post":false}

data-postsbox="{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9400,"comment_count":663,"category":"cybersecurity","is_forum_post":false}">{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9400,"comment_count":663,"category":"cybersecurity","is_forum_post":false}

视频讲解

JWT(Json Web Token)是常见的身份认证方式，如何通过篡改JWT中的payload，从而劫持、篡改账户密码？本期视频将带大家一探究竟

备用播放线路

JSON Web Token

Json Web Token简称JWT，通常出现在请求头中，格式类似于

Authorization : bearer <Token>

其中<token>通常是三段的base64结构

在请求头里，通常为下面的样子

Authorization : bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

我们可以去jwt.io上查看示例，下面是<token>

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

也就是你可以理解为Header.Payload.Verify Signature，它们均是base64加密的，因此你可以单独对其进行解密

看下面的图就非常清晰了

我们会发现在Payload中会包含我们用户身份的信息，比方说name，那么设想一下，有些对安全没有进行足够校验的，是否可以通过修改name后面的名称，进行越权访问呢？譬如，我们将其修改为admin

然后我们重新覆盖请求头，是否会有奇效呢？

Authorization : bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.T26Dm4buOBRdxNs58srk1l_N5y1Dxii9y-YMj-9J7mM

视频中就是通过类似的方式，修改请求头中的Authorization和Cookie中的token，最终可以修改管理员的密码，最终登录管理员账户

标签：jwt, json web token, jwt令牌, json web token渗透, 身份认证绕过, 篡改用户身份