Forge the token to gain unauthorized access!

Image for post
Image for post
Made by me :)

JSON Web Token is commonly used for authorization and in its compact form, it consists of three elements:

  1. Header
  2. Payload
  3. Signature

This is a JSON object which is the metadata of the token mostly used to define its type, algorithm’s name being used for signing the Signature like “HS256”, “RS256” etc. and other parameters like “kid”, “jku”, “x5u” etc.

This is also a JSON object and is used to store the user’s information like id, username, role, token generation time and other custom claims.

This is the most important part as it decides the integrity of the token by signing the Base64-URL encoded Header and Payload separated by a period(.) with the secret key. For example, to generate a token with HS256 algorithm, pseudo-code would be like…


Step by Step guide for beginners!

Image for post
Image for post

Introduction

As a pentester developing new skills in different areas is very important as you might miss something crucial from one approach. Android pentesting is one of them, but it requires a dedicated environment and I will explain how to setup an easy one. So let’s begin!

Table of contents:

  • Setup android emulator (Genymotion)
  • Configure Burp Suite CA certificate on device
  • Frida to bypass SSL pinning
  • Bytecode Viewer (for static analysis)

Before installing emulator, I would recommend to install any Linux based distro or Santoku, which is especially designed for mobile pentesting. …

About

Neha Tariq

BSCS student! Learning Web app & Android pentesting! Loves to read Books! Appreciates knowledge and folks :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store