Webcast: Modern Webapp Pentesting: How to Attack a JWT





So much information about testing webapps for security problems is old. Don’t get me wrong, the old stuff still works way more often than we’d like, but there’s more to webapp vulnerabilities than cross-site scripting and SQL injection.

Take JWTs – JSON Web Tokens – for example. These are base64 encoded tokens that sometimes get written to your browser’s localStorage or sessionStorage and passed around in cookies or HTTP headers. They’re pretty common in authentication and authorization logic for web APIs.

Because they’re encoded, they look like gibberish and it’s easy to skip over them during a test. For the same reason, they’re more complicated to attack. First, you have to notice them. Then you have to decode them. Then you need to interpret the decoded data inside them. THEN, you have to decide what to attack! Once you’ve done that, you still have to create your payload, make valid JSON out of it and rebuild the JWT before you can send it.

It’s kind of a lot.

In this Black Hills Information Security webcast – an excerpt from his upcoming 16-hour Modern Webapp Pentesting course – BB King talks about what JSON Web Tokens are, why they’re so controversial, and how to test for their major weaknesses. Then, using OWSAP’s Juice Shop as a target, he shows you a straightforward method for exploiting them that you can use on your own next webapp pentest.

Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5

0:00 – Good Morning!

1:50 – What Are JSON Web Tokens?

4:43 – Base64 Vs Base64 URL Encoding

7:58 – The Construction of a JSON Token

10:07 – Use Cases

13:03 – RFCs of Interest

13:26 – Encoded, Not Encrypted

19:58 – The Red Slide

20:39 – OWASP Top Ten Issues

21:01 – Signature Al Gore Rhythms

25:31 – Stanced On Privacy

26:53 – Stanced On Security

28:56 – Craking

30:20 – Where To Practice

34:58 – Decoding the Payload – DEMO

45:57 – Snooping ( Stealing Poorly-Protected Secrets )

53:34 – For Further Study



Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.

https://www.blackhillsinfosec.com/services/cyber-range/



Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

Join 2,577 other subscribers