-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT密钥硬编码可能导致任意用户登录 #3
Comments
谢谢建议,我会仔细研究这个问题并近期解决。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
在.env文件 里JWT Token硬编码。
c-shopping/.env
Line 3 in 1588741
以 http:https://shop.huanghanlian.com/ 为例,可以任意构造一个合法的JWT。
JWT里由userid组成,userid是MongoDB的ObjectID, Object ID可以预测,见 https://book.hacktricks.xyz/v/cn/network-services-pentesting/27017-27018-mongodb#mongo-objectid-yu-ce 。
修复建议:
The text was updated successfully, but these errors were encountered: