The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Workshop slides originally given at the WOPR Summit in Atlantic City. Use JavaScript parsers and generators like Shift combined with Puppeteer and Chrome to reverse engineer web applications
Web Cache Deception Attack: A new web attack vector affecting many web frameworks and caching mechanisms. Slides are from Black Hat USA 2017.
White Paper:
https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view?usp=sharing
Original blog:
https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Workshop slides originally given at the WOPR Summit in Atlantic City. Use JavaScript parsers and generators like Shift combined with Puppeteer and Chrome to reverse engineer web applications
Web Cache Deception Attack: A new web attack vector affecting many web frameworks and caching mechanisms. Slides are from Black Hat USA 2017.
White Paper:
https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view?usp=sharing
Original blog:
https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
Securing Your Containerized Applications with NGINXDocker, Inc.
Kevin Jones, NGNIX -
NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.
Докладчик расскажет о технических аспектах разработки с нуля прототипа межсетевого экрана уровня систем управления базами данных Database Firewall: о том, что нужно чтобы разработать DBFW, о возможности применения методов машинного обучения для эффективного обнаружения SQL-инъекций по SQL-запросам, обнаружении SQL-инъекций на основе методов синтаксического анализа, реализации ролевого и атрибутного управление доступом. Также речь пойдет о перспективных механизмах защиты приложений на основе технологий межсетевого экранирования и статического анализа кода.
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyPeter Pilgrim
This session is about getting the best out of the Java EE 7 release with a particular focus on the digital developer and designer. Is there still life in Java EE? Yes there it is and you learn about exciting features that ease the development of enterprise applications. GlassFish 4 is the reference implementation for Java EE 7 and it provides out of the box open source production environment for WebSocket, Batch, JSON, Concurrency, JMS2, JAX-RS 2, CDI 1.1.
In this presentation, we will focus on the recent JSF enhancements to do with Faces Flows and Conversational Scope. Java EE 7 is relevant to digital developers and it can integrate recent designs and sophisticated front ends, which as utilise the responsive and adaptive techniques.
We will look at CDI and EJB integration and demonstrate how to best to get the application structure in the correct fashion for an enterprise application. The author also will provide some handy tips for troubleshooting development with GlassFish, including deployment of artifacts.
Finally, we will look around ahead on the probable improvements to the Java EE platform.
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimPayara
The talk presented by Peter Pilgrim at the London JavaEE & GlassFish User Group event on the 18th of February 2015.
find out more at: http://payara.co/february_london_glassfish_user_group_with_peter
Die Art und Weise der Client-Server-Authentifizierung hat in den vergangenen Jahren einen rasanten Wechsel erfahren. Anmeldungen z.B. über OAuth 2 sind Standard. Auch wenn Authentifizierungsmethoden wie Single-Sign-On (SSO) bereits seit mehreren Jahrzehnten Anforderungen von Unternehmen sind, gab es bisher im Enterprise Java Standard keine Lösungen dafür. Das hat sich mit Java EE 8 und der Version 1.0 der Security-API geändert.
Neben einem Blick auf die neuen Features der Security-API zeigt dieser Vortrag auch die Authentifizierung im Bereich der verteilten Systeme mit Hilfe von SSO über das JWT. Dabei wird darauf eingegangen, was der Standard nun bietet und was der Entwickler dazubauen muss.
CloudConnect 云计算大会 China 2016
OpenStack Swift的性能调优
Performance Tuning of OpenStack Swift
李明宇 奥思数据 创始⼈& CTO
Email: li.mingyu@ostorage.com.cn
Swift is good at storing small objects like photos and documents.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
How to get along with HATEOAS without letting the bad guys steal your lunch?
It’s a cool idea - decouple the client from the server and let the application tell the client what it can do dynamically. This approach should allow much more flexibility and resilience as the client and server can evolve separately. Unfortunately, the HATEOAS approach can be a free lunch for cybercriminals unless you understand the simple steps needed to secure your design.
The question is - how to achieve the balance of design flexibility and security in practice?
This session will show you how to create a secure hypermedia-driven RESTful web service using HATEOAS principles. You’ll learn how HATEOAS works, understand how it can be exploited by the bad guys and discover why HATEOAS is still a really good approach .
With code and examples this session will leave you more informed and possibly a little wiser.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with a heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Recent workshop on security code review given at SecTalks Melbourne. The slides contain a link to the vulnerable PHP application to perform the review.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
ER(Entity Relationship) Diagram for online shopping - TAE
JWT: jku x5u
1. JWT jku&x5u = ❤
Attacking JSON WEB TOKENS…
Louis Nyffenegger
@PentesterLab
louis@pentesterlab.com
2. About me
PentesterLab.com / @PentesterLab
Security Engineer
PentesterLab:
Pentester/Code Reviewer/Security consultant/Security architect
Platform to learn web security/penetration testing
100% Hands-on
Available for individuals (free and PRO) and enterprises
Run a website to help people learn security
3. Who uses JWT?
PentesterLab.com / @PentesterLab
• A lot of people for OAuth2
• A lot of people for sessions
• A lot of people to manage trust
• A lot of people for password reset
• A lot of people who care about being stateless
and multi-datacenter architecture
10. JavaScript Object Notation (JSON)
PentesterLab.com / @PentesterLab
Human readable format to store or transmit objects
11. The Compact JWS Format
PentesterLab.com / @PentesterLab
Header Payload Signature
3 parts in a JSON Web Token:
12. The Compact JWS Format
PentesterLab.com / @PentesterLab
Header Payload Signature
Separated by a dot
. .
13. The Compact JWS Format
PentesterLab.com / @PentesterLab
eyJ0eXAiOiJK
V1QiLCJhbGci
OiJIUzI1NiJ9
eyJsb2dpbi
I6ImFkb
WluIn0
FSfvCBAwypJ4abF6
jFLmR7JgZhkW674
Z8dIdAIRyt1E
Separated by a dot
. .
eyJ = Base64('{"')
14. The Compact JWS Format
PentesterLab.com / @PentesterLab
Base64({…}) Base64({…}) Base64(…)
Header and Payload are base64* encoded JSON
. .
* urlsafe base64 encoding without padding
The signature is also base64 encoded
15. The Compact JWS Format: Encoding
PentesterLab.com / @PentesterLab
Urlsafe base64 encoding without padding:
*https://tools.ietf.org/html/rfc7515#appendix-C
16. The JWT Format: header
PentesterLab.com / @PentesterLab
Base64({"alg": "HS256",
"typ": "JWS"})
The header contains an algorithm “alg” attribute:
In this example HMAC with SHA256 was used
To tell how the token was signed.
…
. . …
17. The JWT Format: Algorithms
PentesterLab.com / @PentesterLab
A lot of different algorithms are supported*:
None
* https://jwt.io/ covers most
HS256
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512
18. The JWT Format: payload
PentesterLab.com / @PentesterLab
…
The payload may contain literally anything:
Base64({"user":"admin",
"roles": ["adm","users"]}). . …
19. The JWT Format: payload
PentesterLab.com / @PentesterLab
The payload may contain registered claims:
Base64({"user":"admin",
"exp":12…, "iat":1234.. }). .… …
20. The JWT Format: creating a token
PentesterLab.com / @PentesterLab
• Create the JSON header and base64 encode it
• Create the JSON payload and base64 encode it
• Concatenate with a dot the (encoded) header
and payload
• Sign the result (header+.+payload)
• Base64 encode the signature
• Append a dot then the signature
21. The JWT Format: verifying a token
PentesterLab.com / @PentesterLab
• Split the token in three parts based on the dots
• Base64 decode each part
• Parse the JSON for the header and payload
• Retrieve the algorithm from the header
• Verify the signature based on the algorithm
• Verify the claims
24. jku and x5u
PentesterLab.com / @PentesterLab
• If you read some of the JWS RFC, you probably
learnt about jku and x5u parameter for the headers
• People are starting to use jku (JWK URL)
31. Application
Trusted
Server
User
HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2
3 Fetching of the JWK based on the “jku” header
jku and x5u
PentesterLab.com / @PentesterLab
32. Fetching of the JWK based on the “jku” header
Application
Trusted
Server
User
HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2
3
Parsing of the JWK4
jku and x5u
PentesterLab.com / @PentesterLab
33. Application
Trusted
Server
User
HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2
3
Parsing of the JWK4
Verifying the JWT signature using the JWK5
Fetching of the JWK based on the “jku” header
jku and x5u
PentesterLab.com / @PentesterLab
34. Application
Trusted
Server
User
HTTP Request with JWT Parsing of the JWT to extract the “jku” header
Response
1
6
2
3
Parsing of the JWK4
Verifying the JWT signature using the JWK5
Fetching of the JWK based on the “jku” header
jku and x5u
PentesterLab.com / @PentesterLab
35. jku and x5u
PentesterLab.com / @PentesterLab
Application
Malicious
Server
HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header
Response
1
6
2
3
Parsing of the JWK4
Verifying the JWT signature using the JWK5
Attacker
Fetching of the malicious JWK based on the “jku” header
36. jku and x5u
PentesterLab.com / @PentesterLab
Application
Malicious
Server
HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2
3
Attacker
Fetching of the malicious JWK based on the “jku” header
40. 3 Fetching of the JWK based on the “jku” header
Parsing of the JWT to extract the “jku” header2
Application
Trusted
Server
HTTP Request with malicious JWT1
Malicious
Server
Attacker
jku and Open Redirect
PentesterLab.com / @PentesterLab
41. Parsing of the JWT to extract the “jku” header2
Application
Open Redirect
Trusted
Server
HTTP Request with malicious JWT1
Malicious
Server
3 Fetching of the JWK based on the “jku” header
Attacker
jku and Open Redirect
PentesterLab.com / @PentesterLab
42. Parsing of the JWT to extract the “jku” header2
Application
Open Redirect
Trusted
Server
3 Fetching of the JWK based on the “jku” header
3a Redirect to malicious server
HTTP Request with malicious JWT1
Malicious
Server
Attacker
jku and Open Redirect
PentesterLab.com / @PentesterLab
43. Parsing of the JWT to extract the “jku” header2
Application
Open Redirect
Trusted
Server
3 Fetching of the JWK based on the “jku” header
3a Redirect to malicious server
3b Fetching of the malicious JWK
after following the redirect
HTTP Request with malicious JWT1
Malicious
Server
Attacker
jku and Open Redirect
PentesterLab.com / @PentesterLab
44. Parsing of the JWT to extract the “jku” header2
Application
Open Redirect
Trusted
Server
3
Parsing of the JWK4
Fetching of the JWK based on the “jku” header
3a Redirect to malicious server
3b Fetching of the malicious JWK
after following the redirect
HTTP Request with malicious JWT1
Malicious
Server
Attacker
jku and Open Redirect
PentesterLab.com / @PentesterLab
45. Parsing of the JWT to extract the “jku” header2
Application
Open Redirect
Trusted
Server
3
Parsing of the JWK4
Verifying the JWT signature using the malicious JWK5
Fetching of the JWK based on the “jku” header
3a Redirect to malicious server
3b Fetching of the malicious JWK
after following the redirect
HTTP Request with malicious JWT1
Malicious
Server
Attacker
jku and Open Redirect
PentesterLab.com / @PentesterLab
46. 3 Fetching of the JWK based on the “jku” header
Parsing of the JWT to extract the “jku” header2
Application
Trusted
Server
HTTP Request with malicious JWT1
Attacker
jku and Header Injection
PentesterLab.com / @PentesterLab
47. Parsing of the JWT to extract the “jku” header2
Application
Header Injection
Trusted
Server
3 Fetching of the JWK based on the “jku” header
HTTP Request with malicious JWT1
Header Injection
Attacker
Parsing of the JWT to extract the “jku” header2
Application
Header Injection
Trusted
Server
3 Fetching of the JWK based on the “jku” header
HTTP Request with malicious JWT1
Header Injection
Attacker
jku and Header Injection
PentesterLab.com / @PentesterLab
48. Parsing of the JWT to extract the “jku” header2
Application
Header Injection
Trusted
Server
3 Fetching of the JWK based on the “jku” header
3a The jku uses the header injection
to reflect the jwk in a response
HTTP Request with malicious JWT1
Header Injection
Attacker
jku and Header Injection
PentesterLab.com / @PentesterLab
49. Parsing of the JWT to extract the “jku” header2
Application
Header Injection
Trusted
Server
3
Parsing of the JWK4
Fetching of the JWK based on the “jku” header
3a The jku uses the header injection
to reflect the jwk in a response
HTTP Request with malicious JWT1
Header Injection
Attacker
jku and Header Injection
PentesterLab.com / @PentesterLab
50. Parsing of the JWT to extract the “jku” header2
Application
Header Injection
Trusted
Server
3
Parsing of the JWK4
Verifying the JWT signature using the
JWK from the header injection
5
Fetching of the JWK based on the “jku” header
3a The jku uses the header injection
to reflect the jwk in a response
HTTP Request with malicious JWT1
Header Injection
Attacker
jku and Header Injection
PentesterLab.com / @PentesterLab
51. Libraries: jku header injection - Exploitation
PentesterLab.com / @PentesterLab
Exploitation:
• Find a Header Injection
• Use the Header Injection to return
your JWK
• Add the Header Injection as jku
• Sign the token with your RSA key
52. jku and x5u: downgrade
PentesterLab.com / @PentesterLab
• The RFC calls out enforcing TLS to avoid MITM
• Few implementations get it wrong:
Enforcing when you set the value
vs
Enforcing when you fetch the key
57. Conclusion
PentesterLab.com / @PentesterLab
• JWT are complex and kind of insecure by design
(make sure you check https://github.com/paragonie/paseto)
• JWT libraries introduce very interesting bugs
• Make sure you test for those if you write code,
pentest or do bug bounties
58. Any questions?
FOR YOUR TIME !
THANKS
louis@pentesterlab.com / PentesterLab.com / @PentesterLab