For any modern web application, authentication and authorization are key components of the security posture. In recent years, JSON Web Token (JWT) has become one of the leading technology standards used to secure and protect web apps of all kinds. Loved by many but hated by cryptographers, JWT is used extensively in OAuth, OIDC, Kubernetes, and other distributed web services and microservices.
In this course, we’ll be learning about JSON Web Token with a focus on attacking vulnerable JWT implementations and looking at defense strategies. We start with an introduction to JWT and why we need it. We’ll also explore the essentials of JWTs with cryptography.
Most of our time will be spent taking a deep-dive into attacking JWTs. This includes JWT algorithm confusion, authentication bypass, mutable claims attack, and HMAC brute force attacks, among others. Every single one of our lessons will be taught with the help of lab exercises to give you a hands-on look at real-world methods used to attack JSON Web Tokens.
All of AppSecEngineer’s video lessons and labs have been carefully crafted to deliver high-quality training while helping you retain as much of it as possible. All our material is designed to deliver real-world problem-solving experience. When you finish this course, you’ll be able to directly apply what you’ve learned to secure web apps with JWT.
JWT Algorithm Confusion
JKU Authentication Bypass
JWT Mutable Claims Attack
Bruteforcing JWT HMAC Keys
Introduction to the course
The need for JWT
The need for JWTs
JWT Standards and Utility
Anantomy of a JSOn Web Token
Who uses the JWT?
Signing a JWT with HMAC
HMAC Variants of the JWT
Using Asymmetric encryption with JWT
Introduction to JWT Attacks
Existing JWT Vulnerabilities
JWT Algorithm Confusion Attack
Lab Video: JWT Algorithm Confusion
Lab: JWT Algorithm Confusion
JKU Authentication Bypass
Lab Video: JKU Authentication Bypass
Lab: JKU Authentication Bypass
JWT Mutable Claims Attack
Lab Video: JWT Mutable Claims Attack
Lab: JWT Mutable Claims Attack
Lab Video: JWT HMAC Bruteforce
Lab: Bruteforcing JWT HMAC Keys