I love the internet as a resource for learning new things. I love YouTube as an easily accessible, exciting source of information for beginners. I have a long article describing just how much of a fan I am of online learning, but it comes with its own set of problems.
Teaching is not simple; communicating ideas takes a lot of very intentional effort to pull off successfully. Itās easy for people who donāt have a full grasp of a topic or find it difficult to convey what they do know well to unintentionally spread misleading āor sometimes straight-up incorrectā information. In my experience, most channels that spend time creating online content do their due diligence and make sure what theyāre putting out is high quality and correct, but this is not always the case.
I want to specifically talk about one video today, which I think is a pretty egregious example of what I mean.
Whatās wrong with this video
Now, right off the bat, the titleā¦ I donāt know. Itās a bit weird, but I guess you gotta hustle and get views, right? I donāt like it, but it doesnāt change the content; itās just a red flag that makes this video stand out to me as potentially low quality. Itās just ever so slightly sus.
As a quick summary, the person in the video is going through an OWASP Juice Shop setup and demonstrating an injection vulnerability with user creation. It allows him to modify the payload in the user create endpoint to include properties that get sent directly to the database without any validation. This kind of thing can happen on a backend that looks something like this.
Javascript
app.post("/user", async (req, res) => {// no checks, send everything straight into the database babyconst result = await db.createUser(req.body)res.json(result)})
Now, this is a pretty serious vulnerability, but itās not realistic for big websites. It can happen with an inexperienced developer using a cringe backend like Express.js where thereās no validation built into the webserver and zero type-safety, but itās not something youāre going to be running into in the wild very often. Injection is literally #1 in the OWASP list of top 10 web vulnerabilities, so itās clearly a big problem. However, simple injection exploits like these are not going to be found in the first place youād be looking for them, like a sign-up form. You probably donāt make mistakes calculating something like 20 + 10 if youāre double-checking and have people going over your work as well.
The way Loi finds out this vulnerability (I hope thatās his name, I havenāt watched this YouTube channel before) isnāt really discussed, and he tries to sell the process heās going through as something that works for any website; which is obviously not true, but we can suspend our disbelief in the name of clickbait magic for now. In the video, he points out that the backend is storing sensitive information in the JSON Web Token (JWT) issued to the user and goes through it to find potentially juicy information.
This isnāt an incorrect observation since thereās a password
and totpSecret
field in there, which are definitely scary-sounding fields I donāt want to see in my client. But the critical thing to note here is that this layout of the JWT with all the unexpected āsensitiveā content lets an attacker infer that there might be a missing sanitization step between fetching user data and creating a JWT. The JWT claims might represent the exact structure of what a user row in the database might look like since a carefully crafted token would probably not contain these fields. The data stored in the JWT is NOT a vulnerability or a security problem by itself, as these fields should only be accessible by the user the token is being issued to. Itās just a strong clue for an attacker that gives insight into what the backend might be doing wrong.
The step of inspecting the JWT gave Loi an idea of what the database schema of the site looks like, and it let him make a good guess for how he could change a payload that might be lacking validation from its inputs; the same way it lacked validation for its outputs. Itās not actually a part of the vulnerability he ends up exploiting, and yet, he keeps going on about storing sensitive information in a JWT the entire time and never once mentions injection, which is the real culprit here. Why?
He later goes to the user registration page, pulls up burp suite, and talks about how the JWT thing is making it possible for him to create a new user with premium, which makes no sense. The roles in the JWT are not insecure or sensitive. Itās not uncommon to store user roles in a JWT as itās signed, and a user canāt change it. If there was proper validation being done, the JWT wouldāve made zero difference, and the exploit wouldnāt be possible. These two things are not in the least bit related to each other. This exploit is still possible with or without a JWT storing information that is not even sensitive to begin with.
The only problems that arise from storing user roles in tokens are logistical, and not security-related. For example, if you store roles in a token, you have to reissue the user a new token when you want to change their roles which can be kind of a pain to deal with if you don't have a flexible setup for that sort of thing.
Itās also possible to set claims on a token without straight-up dumping an entire DB row into it and giving attackers insight into your DB schema and your appās security flaws.
This was clearly something that confused viewers, seen by comments like these from people who convinced themselves that they just became experts on stateless authentication after watching a video of an exploit that had nothing to do with JWTs.
I understand that these types of videos are meant to wow beginners and maybe get them excited about security, which is awesome! But the way this video is presented seems like itās meant more for experienced devs, with the way itās filled with a lot of technical jargon that would not be very useful for a beginner. It almost feels like itās an attempt to impress inexperienced people with a bunch of complicated technical stuff by someone who forgot that there are people who understand what heās talking about watching the video. I donāt like this at all. This person is clearly experienced in this field and is someone that plenty of people look up to as an expert, yet heās not doing a good job communicating his knowledge clearly.
Iām all for showing cool stuff to people to get them interested in a field. But there are plenty of beginners who are still learning about these concepts who consume the content people like this guy create as a foundation for their knowledge, and that has some serious implications in situations like these. Thereās a way to combine being engaging and being correct, but itās not always easy. If youāre willing to compromise this much on the latter part, I donāt think you should be creating educational content, or at the very least, content that leads viewers to believe they just learned something new from an expert.
Btw, huge shoutout to the one person in the comments who actually understood what was going on lmao.