Attacking JSON Web Tokens with Louis Nyffenegger

Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or services. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues. After covering the basics (None and Algorithm confusion), we are going to move to kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.

LOUIS NYFFENEGGER
Louis (@snyff) is a security engineer based in Melbourne, Australia where he performs pentest, architecture, and code review. Louis is the founder and CEO of PentesterLab (@pentesterlab), a learning platform for web penetration testing.