Forge the token to gain unauthorized access!
JSON Web Token is commonly used for authorization and in its compact form, it consists of three elements:
This is a JSON object which is the metadata of the token mostly used to define its type, algorithm’s name being used for signing the Signature like “HS256”, “RS256” etc. and other parameters like “kid”, “jku”, “x5u” etc.
This is also a JSON object and is used to store the user’s information like id, username, role, token generation time and other custom claims.
This is the most important part as it decides the integrity of the token by signing the Base64-URL encoded Header and Payload separated by a period(.) with the secret key. For example, to generate a token with HS256 algorithm, pseudo-code would be like…
As a pentester developing new skills in different areas is very important as you might miss something crucial from one approach. Android pentesting is one of them, but it requires a dedicated environment and I will explain how to setup an easy one. So let’s begin!
Table of contents:
Before installing emulator, I would recommend to install any Linux based distro or Santoku, which is especially designed for mobile pentesting. …