首页 Java Novel-Plus default JWT Key

Novel-Plus default JWT Key

孤独常伴
发布在 Java
1,177 0

Vulnerability description

This vulnerability can cause an attacker to construct a custom session, which can be every user session.

Vulnerability details

The novel-plus project default JWT Key is Hard coded In the project config file.

Novel-Plus default JWT Key-L0ne1y

After a lot of testing,I found many websites use it(default jwt key).In addition, the site's login verification is weak so that it can be bypassed.Such as the backend API.

Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y

So,we can use it generate every user session attack the website get the other user permissions or information.

Similarly, we can run an Admin session in the local setup and use it to attack because they all use the same JWT Key, but this approach is time-limited.

Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y

Example

Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y
Novel-Plus default JWT Key-L0ne1y

本文系作者 @ 原创发布在 L0ne1y。未经许可,禁止转载。

喜欢()
上一篇
Novel-plus Background arbitrary file download
下一篇
Novel-Plus SQLi
评论 (0)

请登录以参与评论。

现在登录…
相关文章
School Fees Management System Unauthorized Access
Novel-Plus SQLi
Novel-plus Background arbitrary file download
Lin-cms-Spring-Boot default JWT Key
热门搜索
孤独常伴
34 文章
1 评论
6 喜欢
Top