So much information about testing webapps for security problems is old. Don’t get me wrong, the old stuff still works way more often than we’d like, but there’s more to webapp vulnerabilities than cross-site scripting and SQL injection.
Take JWTs – JSON Web Tokens – for example. These are base64 encoded tokens that sometimes get written to your browser’s localStorage or sessionStorage and passed around in cookies or HTTP headers. They’re pretty common in authentication and authorization logic for web APIs.
Because they’re encoded, they look like gibberish and it’s easy to skip over them during a test. For the same reason, they’re more complicated to attack. First, you have to notice them. Then you have to decode them. Then you need to interpret the decoded data inside them. THEN, you have to decide what to attack! Once you’ve done that, you still have to create your payload, make valid JSON out of it and rebuild the JWT before you can send it.
It’s kind of a lot.
In this Black Hills Information Security webcast – an excerpt from his upcoming 16-hour Modern Webapp Pentesting course – BB King talks about what JSON Web Tokens are, why they’re so controversial, and how to test for their major weaknesses. Then, using OWSAP’s Juice Shop as a target, he shows you a straightforward method for exploiting them that you can use on your own next webapp pentest.
Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_WebApp_PenTesting_AttackingJWTs.pdf
0:00 – Good Morning!
1:50 – What Are JSON Web Tokens?
4:43 – Base64 Vs Base64 URL Encoding
7:58 – The Construction of a JSON Token
10:07 – Use Cases
13:03 – RFCs of Interest
19:58 – The Red Slide
20:39 – OWASP Top Ten Issues
21:01 – Signature Al Gore Rhythms
25:31 – Stanced On Privacy
26:53 – Stanced On Security
28:56 – Craking
30:20 – Where To Practice
34:58 – Decoding the Payload – DEMO
45:57 – Snooping ( Stealing Poorly-Protected Secrets )
53:34 – For Further Study
Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.