$ nikto -h http://188.166.168.204:31525
+ Server: No banner retrieved
+ Retrieved x-powered-by header: Express
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /auth
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD
+ OSVDB-3092: /auth/: This might be interesting...
+ 7917 requests: 0 error(s) and 6 item(s) reported on remote host
$ dirb http://188.166.168.204:31525
---- Scanning URL: http://188.166.168.204:31525/ ----
+ http://188.166.168.204:31525/auth (CODE:200|SIZE:2149)
+ http://188.166.168.204:31525/logout (CODE:302|SIZE:27)
$ whatweb http://188.166.168.204:31525
http://188.166.168.204:31525 [302 Found] Country[RUSSIAN FEDERATION][RU], IP[188.166.168.204], RedirectLocation[/auth], X-Powered-By[Express]
http://188.166.168.204:31525/auth [200 OK] Bootstrap[4.4.1], Country[RUSSIAN FEDERATION][RU], HTML5, IP[188.166.168.204], JQuery, PasswordField[password], Script, Title[Under Construction - Login], X-Powered-By[Express]
$ wapiti -u http://188.166.168.204:31525
[*] Launching module http_headers
Checking X-Frame-Options :
X-Frame-Options is not set
Checking X-XSS-Protection :
X-XSS-Protection is not set
Checking X-Content-Type-Options :
X-Content-Type-Options is not set
Checking Strict-Transport-Security :
Strict-Transport-Security is not set
/home/kali/.wapiti/generated_report
JSON Web Token (JWT) Authentication Bypass
https://snyk.io/test/npm/jsonwebtoken/4.0.0#npm:jsonwebtoken:20150331
CVE-2015-9235 JWT HS/RSA key confusion vulnerability
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9235
http://jwt.io
$ ~/jwt_tool/jwt_tool.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNwdCIsInBrIjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsImlhdCI6MTYyMDYwNDcxOH0.oAQkFClEsy3IKX_Jvm6AvJL9d59neLwcNxtpmpqq9OBAEyVtWDBZi4cGIejFakmwuwgyytd2Ow7ikqv9vhFyNhnRGBFttI8Ca-lXi158feJTv4C-hKrQahZwz87uF8-2PCZ7uSAQYOcONKRpljl3w4YNb352Nzs4_eLnWNH9VM5_npgtnVhwltN6Ko4DFq1ZFcQ97tRoZ7Tlx1J3qqAGY3PouTDqnAKHpeGPkwek7K2eX-HWuhtu2mS7jLTTvQN0i7nuHNrTlROmzE8FDkbEGwW8OotHK9htnOeqxpYHXeUhe4MiZDK-GFn7aBZncJh1TeWvIEH3Mpbo4V1x_Nt-4g
Decoded Token Values:
Token header values:
[+] alg = "RS256"
[+] typ = "JWT"
Token payload values:
[+] username = "cpt"
[+] pk = "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA95oTm9DNzcHr8gLhjZaY
ktsbj1KxxUOozw0trP93BgIpXv6WipQRB5lqofPlU6FB99Jc5QZ0459t73ggVDQi
XuCMI2hoUfJ1VmjNeWCrSrDUhokIFZEuCumehwwtUNuEv0ezC54ZTdEC5YSTAOzg
jIWalsHj/ga5ZEDx3Ext0Mh5AEwbAD73+qXS/uCvhfajgpzHGd9OgNQU60LMf2mH
+FynNsjNNwo5nRe7tR12Wb2YOCxw2vdamO1n1kf/SMypSKKvOgj5y0LGiU3jeXMx
V8WS+YiYCU5OBAmTcz2w2kzBhZFlH6RK4mquexJHra23IGv5UJ5GVPEXpdCqK3Tr
0wIDAQAB
-----END PUBLIC KEY-----
"
[+] iat = 1620604718 ==> TIMESTAMP = 2021-05-09 19:58:38 (UTC)
----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------