0x06 - JWT Exfil from Source Page
Did you know you can exfiltrate the session ID/JWT of other users from the source of the page even without JavaScript?
Often we find sensitive info stored insecurely in the app's source page but we tend to overlook it because we can't run Javascript to extract this information
But there are several other attacks that you can weaponize to extract this information
How to do it
Cache Deception - the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
Request Smuggling - the attacker abuses the way a web site processes multiple sequences of HTTP requests and returns HTTP response that may belong to other users. If we get the source page of a user that is authenticated, chances are the his session ID/JWT token are disclosed
CORS Misconfiguration - a combination of reflected
Origin
andAccess-Control-Allow-Credentials: true
means that any domain can access resources from the vulnerable domain. If the response contains any sensitive information such as the session token/JWT, you can retrieve it and reuse it