SlideShare a Scribd company logo

JWT: jku x5u

S
snyff

Talk on JWT jku and x5u and how to attack them

Internet
1 of 58
Download to read offline
JWT jku&x5u = ❤ Attacking JSON WEB TOKENS… Louis Nyffenegger @PentesterLab louis@pentesterlab.com
About me PentesterLab.com / @PentesterLab Security Engineer PentesterLab: Pentester/Code Reviewer/Security consultant/Security architect Platform to learn web security/penetration testing 100% Hands-on Available for individuals (free and PRO) and enterprises Run a website to help people learn security
Who uses JWT? PentesterLab.com / @PentesterLab • A lot of people for OAuth2 • A lot of people for sessions • A lot of people to manage trust • A lot of people for password reset • A lot of people who care about being stateless and multi-datacenter architecture
Crypto 101
Signature vs Encryption PentesterLab.com / @PentesterLab Encryption gives you confidentiality Signature gives you integrity
Multiple ways of signing PentesterLab.com / @PentesterLab • With a secret using HMAC • With a private key using RSA/EC/… (asymmetric)
Signing with a secret PentesterLab.com / @PentesterLab Sign! Verify! Secret
Signing: asymmetric PentesterLab.com / @PentesterLab Sign! PrivatePublic Verify!
THE JWT FORMAT
JavaScript Object Notation (JSON) PentesterLab.com / @PentesterLab Human readable format to store or transmit objects
The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature 3 parts in a JSON Web Token:
The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature Separated by a dot . .
The Compact JWS Format PentesterLab.com / @PentesterLab eyJ0eXAiOiJK V1QiLCJhbGci OiJIUzI1NiJ9 eyJsb2dpbi I6ImFkb WluIn0 FSfvCBAwypJ4abF6 jFLmR7JgZhkW674 Z8dIdAIRyt1E Separated by a dot . . eyJ = Base64('{"')
The Compact JWS Format PentesterLab.com / @PentesterLab Base64({…}) Base64({…}) Base64(…) Header and Payload are base64* encoded JSON . . * urlsafe base64 encoding without padding The signature is also base64 encoded
The Compact JWS Format: Encoding PentesterLab.com / @PentesterLab Urlsafe base64 encoding without padding: *https://tools.ietf.org/html/rfc7515#appendix-C
The JWT Format: header PentesterLab.com / @PentesterLab Base64({"alg": "HS256", "typ": "JWS"}) The header contains an algorithm “alg” attribute: In this example HMAC with SHA256 was used To tell how the token was signed. … . . …
The JWT Format: Algorithms PentesterLab.com / @PentesterLab A lot of different algorithms are supported*: None * https://jwt.io/ covers most HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512
The JWT Format: payload PentesterLab.com / @PentesterLab … The payload may contain literally anything: Base64({"user":"admin", "roles": ["adm","users"]}). . …
The JWT Format: payload PentesterLab.com / @PentesterLab The payload may contain registered claims: Base64({"user":"admin", "exp":12…, "iat":1234.. }). .… …
The JWT Format: creating a token PentesterLab.com / @PentesterLab • Create the JSON header and base64 encode it • Create the JSON payload and base64 encode it • Concatenate with a dot the (encoded) header and payload • Sign the result (header+.+payload) • Base64 encode the signature • Append a dot then the signature
The JWT Format: verifying a token PentesterLab.com / @PentesterLab • Split the token in three parts based on the dots • Base64 decode each part • Parse the JSON for the header and payload • Retrieve the algorithm from the header • Verify the signature based on the algorithm • Verify the claims
Classic JWT attacks PentesterLab.com / @PentesterLab • None algorithm • Trivial secret • Algorithm confusion • Injection in the kid parameter • CVE-2018-0114 •
jku & x5u
jku and x5u PentesterLab.com / @PentesterLab • If you read some of the JWS RFC, you probably learnt about jku and x5u parameter for the headers • People are starting to use jku (JWK URL)
The JWT Format: jku&x5u PentesterLab.com / @PentesterLab Base64({"jku": "https://...", ...}) … . . … Base64({"x5u": "https://...", ...}) … . . …
The JWT Format: jwk PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "n": "oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4Kkq...vTF0FGw", "e": "AQAB", "alg": "RS256" } ] }
The JWT Format: x5c PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "x5c": "MIIDWDCCAkACCQCnE....fpye27SQbC2fBxebsek=", "alg": "RS256" } ] }
jku and x5u PentesterLab.com / @PentesterLab Application Trusted Server User
Application Trusted Server User HTTP Request with JWT1 jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
Fetching of the JWK based on the “jku” header Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Attacker Fetching of the malicious JWK based on the “jku” header
jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2 3 Attacker Fetching of the malicious JWK based on the “jku” header
jku and x5u PentesterLab.com / @PentesterLab Turns out filtering URLs is incredibly hard
jku and x5u : regular expression PentesterLab.com / @PentesterLab https://trusted.example.com => https://trustedzexample.com
jku and x5u : starts with PentesterLab.com / @PentesterLab https://trusted => https://trusted@pentesterlab.com https://trusted/jwks/ => https://trusted/jwks/../file_uploaded https://trusted/jwks/ => https://trusted/jwks/../open_redirect https://trusted/jwks/ => https://trusted/jwks/../header_injection
3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server HTTP Request with malicious JWT1 Malicious Server 3 Fetching of the JWK based on the “jku” header Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the malicious JWK5 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the JWK from the header injection 5 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Libraries: jku header injection - Exploitation PentesterLab.com / @PentesterLab Exploitation: • Find a Header Injection • Use the Header Injection to return your JWK • Add the Header Injection as jku • Sign the token with your RSA key
jku and x5u: downgrade PentesterLab.com / @PentesterLab • The RFC calls out enforcing TLS to avoid MITM • Few implementations get it wrong: Enforcing when you set the value vs Enforcing when you fetch the key
Conclusion
Recommendations PentesterLab.com / @PentesterLab ✓ Use strong keys and secrets ✓ Don’t store them in your source code ✓ Make sure you have key rotation built-in
Recommendations PentesterLab.com / @PentesterLab ✓ Review the libraries you pick (KISS library) ✓ Make sure you check the signature ✓ Make sure your tokens expire ✓ Enforce the algorithm
Recommendations PentesterLab.com / @PentesterLab ✓ Test for x5u and jku ✓ Don't burn Open Redirect ✓ Read RFC ✓ Hack all the things!
Conclusion PentesterLab.com / @PentesterLab • JWT are complex and kind of insecure by design (make sure you check https://github.com/paragonie/paseto) • JWT libraries introduce very interesting bugs • Make sure you test for those if you write code, pentest or do bug bounties
Any questions? FOR YOUR TIME ! THANKS louis@pentesterlab.com / PentesterLab.com / @PentesterLab

Recommended

Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
아해2019 SpringAOP 문겸
아해2019 SpringAOP 문겸아해2019 SpringAOP 문겸
아해2019 SpringAOP 문겸MoonGyeom1
 

Recommended

Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
아해2019 SpringAOP 문겸
아해2019 SpringAOP 문겸아해2019 SpringAOP 문겸
아해2019 SpringAOP 문겸MoonGyeom1
 
DHT Kademlia
DHT KademliaDHT Kademlia
DHT KademliaRyo Yoneyama
 
Introduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloIntroduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloSSIMeetup
 
Scaling up task processing with Celery
Scaling up task processing with CeleryScaling up task processing with Celery
Scaling up task processing with CeleryNicolas Grasset
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Blacklist3r
Blacklist3rBlacklist3r
Blacklist3rSanjay Gondaliya
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
PyCon Korea 2018 - 파이썬으로 학생 들여다보기
PyCon Korea 2018 - 파이썬으로 학생 들여다보기PyCon Korea 2018 - 파이썬으로 학생 들여다보기
PyCon Korea 2018 - 파이썬으로 학생 들여다보기Yungon Park
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해beom kyun choi
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Michel Schudel
 
elasticsearch_적용 및 활용_정리
elasticsearch_적용 및 활용_정리elasticsearch_적용 및 활용_정리
elasticsearch_적용 및 활용_정리Junyi Song
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Workshop Spring - Session 1 - L'offre Spring et les bases
Workshop Spring - Session 1 - L'offre Spring et les basesWorkshop Spring - Session 1 - L'offre Spring et les bases
Workshop Spring - Session 1 - L'offre Spring et les basesAntoine Rey
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 

More Related Content

What's hot

Introduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloIntroduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloSSIMeetup
 
Scaling up task processing with Celery
Scaling up task processing with CeleryScaling up task processing with Celery
Scaling up task processing with CeleryNicolas Grasset
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
PyCon Korea 2018 - 파이썬으로 학생 들여다보기
PyCon Korea 2018 - 파이썬으로 학생 들여다보기PyCon Korea 2018 - 파이썬으로 학생 들여다보기
PyCon Korea 2018 - 파이썬으로 학생 들여다보기Yungon Park
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해beom kyun choi
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Michel Schudel
 
elasticsearch_적용 및 활용_정리
elasticsearch_적용 및 활용_정리elasticsearch_적용 및 활용_정리
elasticsearch_적용 및 활용_정리Junyi Song
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Workshop Spring - Session 1 - L'offre Spring et les bases
Workshop Spring - Session 1 - L'offre Spring et les basesWorkshop Spring - Session 1 - L'offre Spring et les bases
Workshop Spring - Session 1 - L'offre Spring et les basesAntoine Rey
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 

What's hot (20)

DHT Kademlia
DHT KademliaDHT Kademlia
DHT Kademlia
 
Introduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloIntroduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus Sabadello
 
Scaling up task processing with Celery
Scaling up task processing with CeleryScaling up task processing with Celery
Scaling up task processing with Celery
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
Blacklist3r
Blacklist3rBlacklist3r
Blacklist3r
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
PyCon Korea 2018 - 파이썬으로 학생 들여다보기
PyCon Korea 2018 - 파이썬으로 학생 들여다보기PyCon Korea 2018 - 파이썬으로 학생 들여다보기
PyCon Korea 2018 - 파이썬으로 학생 들여다보기
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
 
elasticsearch_적용 및 활용_정리
elasticsearch_적용 및 활용_정리elasticsearch_적용 및 활용_정리
elasticsearch_적용 및 활용_정리
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Workshop Spring - Session 1 - L'offre Spring et les bases
Workshop Spring - Session 1 - L'offre Spring et les basesWorkshop Spring - Session 1 - L'offre Spring et les bases
Workshop Spring - Session 1 - L'offre Spring et les bases
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 

Similar to JWT: jku x5u

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXDocker, Inc.
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуляPositive Hack Days
 
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyJava EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyPeter Pilgrim
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimPayara
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8OPEN KNOWLEDGE GmbH
 
OpenStack Swift的性能调优
OpenStack Swift的性能调优OpenStack Swift的性能调优
OpenStack Swift的性能调优Hardway Hou
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Con fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhaktiCon fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhaktiBhakti Mehta
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from ScratchDenis Kolegov
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IOChristian Joudrey
 

Similar to JWT: jku x5u (20)

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
 
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyJava EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
 
OpenStack Swift的性能调优
OpenStack Swift的性能调优OpenStack Swift的性能调优
OpenStack Swift的性能调优
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Con fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhaktiCon fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhakti
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IO
 

More from snyff

Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)snyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackerssnyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 

More from snyff (10)

Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Stronger
 

Recently uploaded

✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 

Recently uploaded (20)

✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 

JWT: jku x5u

  • 1. JWT jku&x5u = ❤ Attacking JSON WEB TOKENS… Louis Nyffenegger @PentesterLab louis@pentesterlab.com
  • 2. About me PentesterLab.com / @PentesterLab Security Engineer PentesterLab: Pentester/Code Reviewer/Security consultant/Security architect Platform to learn web security/penetration testing 100% Hands-on Available for individuals (free and PRO) and enterprises Run a website to help people learn security
  • 3. Who uses JWT? PentesterLab.com / @PentesterLab • A lot of people for OAuth2 • A lot of people for sessions • A lot of people to manage trust • A lot of people for password reset • A lot of people who care about being stateless and multi-datacenter architecture
  • 5. Signature vs Encryption PentesterLab.com / @PentesterLab Encryption gives you confidentiality Signature gives you integrity
  • 6. Multiple ways of signing PentesterLab.com / @PentesterLab • With a secret using HMAC • With a private key using RSA/EC/… (asymmetric)
  • 7. Signing with a secret PentesterLab.com / @PentesterLab Sign! Verify! Secret
  • 8. Signing: asymmetric PentesterLab.com / @PentesterLab Sign! PrivatePublic Verify!
  • 10. JavaScript Object Notation (JSON) PentesterLab.com / @PentesterLab Human readable format to store or transmit objects
  • 11. The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature 3 parts in a JSON Web Token:
  • 12. The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature Separated by a dot . .
  • 13. The Compact JWS Format PentesterLab.com / @PentesterLab eyJ0eXAiOiJK V1QiLCJhbGci OiJIUzI1NiJ9 eyJsb2dpbi I6ImFkb WluIn0 FSfvCBAwypJ4abF6 jFLmR7JgZhkW674 Z8dIdAIRyt1E Separated by a dot . . eyJ = Base64('{"')
  • 14. The Compact JWS Format PentesterLab.com / @PentesterLab Base64({…}) Base64({…}) Base64(…) Header and Payload are base64* encoded JSON . . * urlsafe base64 encoding without padding The signature is also base64 encoded
  • 15. The Compact JWS Format: Encoding PentesterLab.com / @PentesterLab Urlsafe base64 encoding without padding: *https://tools.ietf.org/html/rfc7515#appendix-C
  • 16. The JWT Format: header PentesterLab.com / @PentesterLab Base64({"alg": "HS256", "typ": "JWS"}) The header contains an algorithm “alg” attribute: In this example HMAC with SHA256 was used To tell how the token was signed. … . . …
  • 17. The JWT Format: Algorithms PentesterLab.com / @PentesterLab A lot of different algorithms are supported*: None * https://jwt.io/ covers most HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512
  • 18. The JWT Format: payload PentesterLab.com / @PentesterLab … The payload may contain literally anything: Base64({"user":"admin", "roles": ["adm","users"]}). . …
  • 19. The JWT Format: payload PentesterLab.com / @PentesterLab The payload may contain registered claims: Base64({"user":"admin", "exp":12…, "iat":1234.. }). .… …
  • 20. The JWT Format: creating a token PentesterLab.com / @PentesterLab • Create the JSON header and base64 encode it • Create the JSON payload and base64 encode it • Concatenate with a dot the (encoded) header and payload • Sign the result (header+.+payload) • Base64 encode the signature • Append a dot then the signature
  • 21. The JWT Format: verifying a token PentesterLab.com / @PentesterLab • Split the token in three parts based on the dots • Base64 decode each part • Parse the JSON for the header and payload • Retrieve the algorithm from the header • Verify the signature based on the algorithm • Verify the claims
  • 22. Classic JWT attacks PentesterLab.com / @PentesterLab • None algorithm • Trivial secret • Algorithm confusion • Injection in the kid parameter • CVE-2018-0114 •
  • 24. jku and x5u PentesterLab.com / @PentesterLab • If you read some of the JWS RFC, you probably learnt about jku and x5u parameter for the headers • People are starting to use jku (JWK URL)
  • 25. The JWT Format: jku&x5u PentesterLab.com / @PentesterLab Base64({"jku": "https://...", ...}) … . . … Base64({"x5u": "https://...", ...}) … . . …
  • 26. The JWT Format: jwk PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "n": "oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4Kkq...vTF0FGw", "e": "AQAB", "alg": "RS256" } ] }
  • 27. The JWT Format: x5c PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "x5c": "MIIDWDCCAkACCQCnE....fpye27SQbC2fBxebsek=", "alg": "RS256" } ] }
  • 28. jku and x5u PentesterLab.com / @PentesterLab Application Trusted Server User
  • 29. Application Trusted Server User HTTP Request with JWT1 jku and x5u PentesterLab.com / @PentesterLab
  • 30. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 jku and x5u PentesterLab.com / @PentesterLab
  • 31. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  • 32. Fetching of the JWK based on the “jku” header Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 jku and x5u PentesterLab.com / @PentesterLab
  • 33. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  • 34. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  • 35. jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Attacker Fetching of the malicious JWK based on the “jku” header
  • 36. jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2 3 Attacker Fetching of the malicious JWK based on the “jku” header
  • 37. jku and x5u PentesterLab.com / @PentesterLab Turns out filtering URLs is incredibly hard
  • 38. jku and x5u : regular expression PentesterLab.com / @PentesterLab https://trusted.example.com => https://trustedzexample.com
  • 39. jku and x5u : starts with PentesterLab.com / @PentesterLab https://trusted => https://trusted@pentesterlab.com https://trusted/jwks/ => https://trusted/jwks/../file_uploaded https://trusted/jwks/ => https://trusted/jwks/../open_redirect https://trusted/jwks/ => https://trusted/jwks/../header_injection
  • 40. 3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 41. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server HTTP Request with malicious JWT1 Malicious Server 3 Fetching of the JWK based on the “jku” header Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 42. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 43. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 44. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 45. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the malicious JWK5 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 46. 3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 47. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 48. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 49. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 50. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the JWK from the header injection 5 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 51. Libraries: jku header injection - Exploitation PentesterLab.com / @PentesterLab Exploitation: • Find a Header Injection • Use the Header Injection to return your JWK • Add the Header Injection as jku • Sign the token with your RSA key
  • 52. jku and x5u: downgrade PentesterLab.com / @PentesterLab • The RFC calls out enforcing TLS to avoid MITM • Few implementations get it wrong: Enforcing when you set the value vs Enforcing when you fetch the key
  • 54. Recommendations PentesterLab.com / @PentesterLab ✓ Use strong keys and secrets ✓ Don’t store them in your source code ✓ Make sure you have key rotation built-in
  • 55. Recommendations PentesterLab.com / @PentesterLab ✓ Review the libraries you pick (KISS library) ✓ Make sure you check the signature ✓ Make sure your tokens expire ✓ Enforce the algorithm
  • 56. Recommendations PentesterLab.com / @PentesterLab ✓ Test for x5u and jku ✓ Don't burn Open Redirect ✓ Read RFC ✓ Hack all the things!
  • 57. Conclusion PentesterLab.com / @PentesterLab • JWT are complex and kind of insecure by design (make sure you check https://github.com/paragonie/paseto) • JWT libraries introduce very interesting bugs • Make sure you test for those if you write code, pentest or do bug bounties
  • 58. Any questions? FOR YOUR TIME ! THANKS louis@pentesterlab.com / PentesterLab.com / @PentesterLab