Index:
1. How tokens work
2. What's an API?
3. Bearer token
4. Csrf-token
5. Jsession token
6. Hashes
7. UnixTime
1. How tokens work
2. What's an API?
3. Bearer token
4. Csrf-token
5. Jsession token
6. Hashes
7. UnixTime
1. How Tokens work...
Token are a form of authentication that allows a user to successfully fulfill a POST REQUEST. Without this "token" the user cannot do the Post Request successfully and results in an auth error. Tokens are the main element to web security when making a post request. Most tokens can be obtained before the request and then can be PARSED to use in the POST REQUEST. This can be found in segment 4 (CSRF-Token)
2. What's an API...
An API is considered by the user-agent in where the website is accessed. For example if you access the website from Firefox the API is different from accessing the website from Google Chrome. Some of the best configs today are made from mobile API's. For this I will be mainly focusing on Web API's since Android/Apple API's don't usually have good security and I will be making a separate tutorial for that. Switching API's will result in different website headers and in some cases different POST DATA.
3. Bearer Token
A bearer token is a form of authentication that runs through web headers instead of post data. A bearer token is found in a post request in the form as | Authentication: Bearer <tokenhere> |. The token can be obtained before the post requests by accessing the get request of the login form and then parsing the token from the response headers. upon parse you can now finish the post request with the custom header Authentication: Bearer <thetokenyouparsed>.
4. CSRF-Token
The csrf-token is popular found amongst post requests and is quite easy to bypass and is very similar to the bearer token. To obtain this token you will also have to perform a GET request to the login form. In the response source search for "csrf". There should be a class in the response source in which gives you the token. In the same fashion as the bearer token you want to parse it and then add the header to the post request "csrf-token: <tokenyouparsed>".
5. Jsession token
Ahhh yes the JSESSION token. This one is not really considered a token since it runs through cookies. Crazy enough its also the same as CSRF and Bearer. Make a GET request to the login form and then parse the response cookies as [COOKIES(jsession)]. Once parsed you can add it to your custom cookies as JESSION: <tokenyouparsed>
6. Hashes
Hashes. If your post data looks like a bunch of dumbass numbers and letters? Well don't be afraid it's most likely HASHED. The function block in OpenBullet has a hash button in where you can test which hash your post data is in. once that is found use your newly hashed post data to illegally brute-force web credentials
7. UnixTime
UnixTime is a form of current time used to authenticate if the request should be timed out or if its concurrent. In the function block built into openbullet you can convert to UnixTime and badabing badaboom, implement it wherever is needed to bypass what you need, By the way UnixTime can be found looking like a serial of digits such as 1157739.
Token are a form of authentication that allows a user to successfully fulfill a POST REQUEST. Without this "token" the user cannot do the Post Request successfully and results in an auth error. Tokens are the main element to web security when making a post request. Most tokens can be obtained before the request and then can be PARSED to use in the POST REQUEST. This can be found in segment 4 (CSRF-Token)
2. What's an API...
An API is considered by the user-agent in where the website is accessed. For example if you access the website from Firefox the API is different from accessing the website from Google Chrome. Some of the best configs today are made from mobile API's. For this I will be mainly focusing on Web API's since Android/Apple API's don't usually have good security and I will be making a separate tutorial for that. Switching API's will result in different website headers and in some cases different POST DATA.
3. Bearer Token
A bearer token is a form of authentication that runs through web headers instead of post data. A bearer token is found in a post request in the form as | Authentication: Bearer <tokenhere> |. The token can be obtained before the post requests by accessing the get request of the login form and then parsing the token from the response headers. upon parse you can now finish the post request with the custom header Authentication: Bearer <thetokenyouparsed>.
4. CSRF-Token
The csrf-token is popular found amongst post requests and is quite easy to bypass and is very similar to the bearer token. To obtain this token you will also have to perform a GET request to the login form. In the response source search for "csrf". There should be a class in the response source in which gives you the token. In the same fashion as the bearer token you want to parse it and then add the header to the post request "csrf-token: <tokenyouparsed>".
5. Jsession token
Ahhh yes the JSESSION token. This one is not really considered a token since it runs through cookies. Crazy enough its also the same as CSRF and Bearer. Make a GET request to the login form and then parse the response cookies as [COOKIES(jsession)]. Once parsed you can add it to your custom cookies as JESSION: <tokenyouparsed>
6. Hashes
Hashes. If your post data looks like a bunch of dumbass numbers and letters? Well don't be afraid it's most likely HASHED. The function block in OpenBullet has a hash button in where you can test which hash your post data is in. once that is found use your newly hashed post data to illegally brute-force web credentials
7. UnixTime
UnixTime is a form of current time used to authenticate if the request should be timed out or if its concurrent. In the function block built into openbullet you can convert to UnixTime and badabing badaboom, implement it wherever is needed to bypass what you need, By the way UnixTime can be found looking like a serial of digits such as 1157739.
There's just about two other very popular security measures which are Perimeter-X and Akamai which I haven't had my share with and I recommend skipping the site unless you are willing to invest TONS of time into it.
Will be making a big guide into sniffing apis which bypass most measures of security which are considered not bypassable (recaptcha, captcha, akamai, etc...)
This took a lot of time so please say you love me at least and for anymore questions please ask so I can update this frequently
![[Image: FeelsStrongMan.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.to%2F%2Fimages%2Fsmilies%2FFeelsStrongMan.png)
![[Image: bXABN2d.gif]](https://i.imgur.com/bXABN2d.gif)
CLICK ME ![[Image: tGHNWQR.png]](https://i.imgur.com/tGHNWQR.png)
![[Image: Z8rHRHx.png]](https://i.imgur.com/Z8rHRHx.png)
