Summary: <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> So much information about testing webapps for security problems is old. Don’t get me wrong, the old stuff still works way more often than we’d like, but there’s more to webapp vulnerabilities than cross-site scripting and SQL injection. <br> <br> <br> <br> Take JWTs – JSON Web Tokens – for example. These are base64 encoded tokens that sometimes get written to your browser’s localStorage or sessionStorage and passed around in cookies or HTTP headers. They’re pretty common in authentication and authorization logic for web APIs. <br> <br> <br> <br> Because they’re encoded, they look like gibberish and it’s easy to skip over them during a test. For the same reason, they’re more complicated to attack. First, you have to notice them. Then you have to decode them. Then you need to interpret the decoded data inside them. THEN, you have to decide what to attack! Once you’ve done that, you still have to create your payload, make valid JSON out of it and rebuild the JWT before you can send it. <br> <br> <br> <br> It’s kind of a lot. <br> <br> <br> <br> In this Black Hills Information Security webcast – an excerpt from his upcoming 16-hour Modern Webapp Pentesting course – BB King talks about what JSON Web Tokens are, why they’re so controversial, and how to test for their major weaknesses. Then, using OWSAP’s Juice Shop as a target, he shows you a straightforward method for exploiting them that you can use on your own next webapp pentest.<br> <br> <br> <br> Join the Black Hills Information Security Discord discussion server — <a rel="noreferrer noopener" href="https://www.youtube.com/redirect?redir_token=6-h25oKPogD2o3tGK6LUuAOFSYN8MTU5MzEwMzkxOEAxNTkzMDE3NTE4&v=muYmiEtPL8U&q=https%3A%2F%2Fdiscord.gg%2FaHHh3u5&event=video_description" target="_blank">https://discord.gg/aHHh3u5</a> <br> <br> <br> <br> Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_WebApp_PenTesting_AttackingJWTs.pdf<br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=0s" target="_blank">0:00</a> – Good Morning! <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=110s" target="_blank">1:50</a> – What Are JSON Web Tokens? <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=283s" target="_blank">4:43</a> – Base64 Vs Base64 URL Encoding <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=478s" target="_blank">7:58</a> – The Construction of a JSON Token <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=607s" target="_blank">10:07</a> – Use Cases <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=783s" target="_blank">13:03</a> – RFCs of Interest <br> <br> <br> <br> <a href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=806s">13:</a><a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=806s" target="_blank">2</a><a href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=806s">6</a> – Encoded, Not Encrypted <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=muYmiEtPL8U&t=1198s" target="_blank">19:58</a> – The Red Slide <br> <br> <br> <br> <a rel="noreferrer noopener" href="https://www.youtube.com/watch?"></a>
