diff --git a/docs/Chapter_17_Plugin_and_API_Exploitation.md b/docs/Chapter_17_Plugin_and_API_Exploitation.md index caf9891..5816995 100644 --- a/docs/Chapter_17_Plugin_and_API_Exploitation.md +++ b/docs/Chapter_17_Plugin_and_API_Exploitation.md @@ -1010,7 +1010,7 @@ JSON Web Tokens (JWT) are self-contained tokens that carry authentication and au A JWT consists of three parts separated by dots: -``` +```text header.payload.signature ``` @@ -1146,14 +1146,14 @@ JWTs are stateless, but you can maintain a blacklist of revoked `jti` values (in - Account is compromised - Permissions change -**Common JWT Vulnerabilities:** +### Common JWT Vulnerabilities -**1. Algorithm Confusion (alg=none)** +#### 1. Algorithm Confusion (alg=none) - **Attack**: Change `alg` to `none`, remove signature - **Defense**: Always specify `algorithms` parameter in decode -**2. Weak Secret Keys** +#### 2. Weak Secret Keys ```python # ❌ Bad: Easily brute-forced @@ -1163,7 +1163,7 @@ secret_key = "secret123" secret_key = secrets.token_urlsafe(64) ``` -**3. No Expiration** +#### 3. No Expiration ```python # ❌ Bad: Token never expires @@ -1173,7 +1173,7 @@ payload = {'user_id': 123} # Missing 'exp' payload = {'user_id': 123, 'exp': time.time() + 3600} # 1 hour ``` -**4. Storing Sensitive Data** +#### 4. Storing Sensitive Data ```python # ❌ Bad: JWT payloads are Base64-encoded, NOT encrypted @@ -1183,7 +1183,7 @@ payload = {'user_id': 123, 'password': 'secret123'} # Visible to anyone! payload = {'user_id': 123, 'permissions': ['read']} ``` -**5. Not Validating Claims** +#### 5. Not Validating Claims ```python # ❌ Bad: Accept any valid JWT