In this video, we're going to cover another authentication flaw. This time, we're going to be doing it with JWT, JSON Web Tokens. So JSON Web Tokens are an interesting thing to work around, because based on the RFC, they're digitally in cryptographically signed. So by the nature amount that feels like that it should be trustworthy and this authentication flaw comes from not fully understanding how JWT tokens work and how to validate them and verify them. So let's dive into them a little bit if you have no idea what they are. JWT tokens are essentially a three-part token that's sent and deciphered. So this looks like gibberish, but it's actually base-64 encoded data. It's separated by dots. So the first base-64 encoded data is the header, the second is the set of claims, and the final is a signature that validates that all of this is true, meaning that if the user modifies the claim, the signature should be able to verify them and validate that, and there should be no way to omit this. So let's look at what those headers look like. So the header is saying something essentially like what algorithm are you using, so shots 56, what type are you? It's a JWT token, and the claims are application defined. So when is expiration date, what is a username? What scope? What authorities do you have? So this is where things like our back role-based access control comes in, and you can have roles given to this individual. Now, we can see that without the signature, this would be really dangerous because I can just give myself the admin role if I didn't have it. So let's look at the threat model of this. The browser does opposed with a username login and password. We've seen that many times by now in our bird proxy. The server creates a JWT token with a secret, what we essentially saw on the last page, and returns it to the browser. The browser sends that back with the header, every single requests they make. Depending on their requests, if it's critical or if it's a request that requires the verification of JWT, the signature is checked, the user information is verified, and as long as everything checks out, it is returned back to the client. So there is one space for sending off where the attacker could modify the JWT token and potentially bypass some certain authentication or even certain authorizations. So let's play with this really quick. We have some features here to simulate a website that has many different roles. Now, WebGoat can be buggy sometimes. So this drop-down should open for you, and you should have the three individual users and a guest. So I just selected Guest, and it says welcome back guest. If I try to vote, I'm not allowed to vote as a guest to user. I can pretend to be Tom, and I try to vote as Tom. Obviously, you can see the votes are going up. I can become Jerry, and I can vote as Jerry. I can become Sylvester, and I can vote as Sylvester. Now, what the goal is for us to be able to delete a particular item in here. You notice that we can't do that, and we have to be admin to have those rights. So Tom can't do it, Jerry can't do it, and certainly guest can't do it. So the question becomes what is being sent, and what is being received on the backend? So let's look at our bird proxy. We just sent a ton of traffic to this. So I'm going to scroll all the way down towards my most recent traffic. Let me make this bigger for you. So we can look at our post requests. There was a reset requested, and what was returned is that you cannot do this. So this requests didn't have a body. The previous post that was requested, it was also responded that you need to be an admin for this one. So unlike our second one where he said you need a JWT token, we can see that in our request there's no token being sent off. Therefore, we got a response that you need a token. This one, we said only an admin can reset the votes. We can see that there's a token associated with it. All right. So let's look at this token. I'm going to copy this entire bit of texts. There's a really cool tool that I like to use for things like this. So it's called CyberChef. It allows us to take a bunch of text, and I can ask it to bring it back from a base-64 for me. Now, it does have dots which is technically not in base-64. This is something that's in this specification of JWT. So I'm going to delete that and replace it with line returns. What the JWT token header was to begin with. We have a algorithm that is HS512, and it looks like the message that's in here is iat some number I'm not sure what that is, whether or not I'm an admin and some stuff that is probably from the signature. So I'm just putting a little space between them so you can see the end of it. Actually, let me remove the signature. So the signature isn't something that we can turn into a text. It's nothing meaningful to us. So if we wanted to go back and somehow modify this, the question is how do I go and make myself an admin without breaking that signature that we took out a second ago and still have the application allow us to do that? So go ahead and give it a try. You're going to probably want to use it a repeater for this, and we'll cover it on the next video.