AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Thursday, January 23 • 10:55am - 11:45am
JWT Parkour

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues. After covering the basics (None and Algorithm confusion), we are going to move to kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.

avatar for Louis Nyffenegger

Louis Nyffenegger

Security Engineer and Founder, PentesterLab
Louis is a security engineer based in Melbourne, Australia where he performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for web penetration testing. Recently, Louis talked at Owasp AppsecDay Melbourne, BSides Canberra (one of the... Read More →

Thursday January 23, 2020 10:55am - 11:45am PST
Terrace Lounge