SlideShare une entreprise Scribd logo

JWT: jku x5u

S
snyff

Talk on JWT jku and x5u and how to attack them

Internet
1  sur  58
Télécharger pour lire hors ligne
JWT jku&x5u = ❤ Attacking JSON WEB TOKENS… Louis Nyffenegger @PentesterLab louis@pentesterlab.com
About me PentesterLab.com / @PentesterLab Security Engineer PentesterLab: Pentester/Code Reviewer/Security consultant/Security architect Platform to learn web security/penetration testing 100% Hands-on Available for individuals (free and PRO) and enterprises Run a website to help people learn security
Who uses JWT? PentesterLab.com / @PentesterLab • A lot of people for OAuth2 • A lot of people for sessions • A lot of people to manage trust • A lot of people for password reset • A lot of people who care about being stateless and multi-datacenter architecture
Crypto 101
Signature vs Encryption PentesterLab.com / @PentesterLab Encryption gives you confidentiality Signature gives you integrity
Multiple ways of signing PentesterLab.com / @PentesterLab • With a secret using HMAC • With a private key using RSA/EC/… (asymmetric)
Signing with a secret PentesterLab.com / @PentesterLab Sign! Verify! Secret
Signing: asymmetric PentesterLab.com / @PentesterLab Sign! PrivatePublic Verify!
THE JWT FORMAT
JavaScript Object Notation (JSON) PentesterLab.com / @PentesterLab Human readable format to store or transmit objects
The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature 3 parts in a JSON Web Token:
The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature Separated by a dot . .
The Compact JWS Format PentesterLab.com / @PentesterLab eyJ0eXAiOiJK V1QiLCJhbGci OiJIUzI1NiJ9 eyJsb2dpbi I6ImFkb WluIn0 FSfvCBAwypJ4abF6 jFLmR7JgZhkW674 Z8dIdAIRyt1E Separated by a dot . . eyJ = Base64('{"')
The Compact JWS Format PentesterLab.com / @PentesterLab Base64({…}) Base64({…}) Base64(…) Header and Payload are base64* encoded JSON . . * urlsafe base64 encoding without padding The signature is also base64 encoded
The Compact JWS Format: Encoding PentesterLab.com / @PentesterLab Urlsafe base64 encoding without padding: *https://tools.ietf.org/html/rfc7515#appendix-C
The JWT Format: header PentesterLab.com / @PentesterLab Base64({"alg": "HS256", "typ": "JWS"}) The header contains an algorithm “alg” attribute: In this example HMAC with SHA256 was used To tell how the token was signed. … . . …
The JWT Format: Algorithms PentesterLab.com / @PentesterLab A lot of different algorithms are supported*: None * https://jwt.io/ covers most HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512
The JWT Format: payload PentesterLab.com / @PentesterLab … The payload may contain literally anything: Base64({"user":"admin", "roles": ["adm","users"]}). . …
The JWT Format: payload PentesterLab.com / @PentesterLab The payload may contain registered claims: Base64({"user":"admin", "exp":12…, "iat":1234.. }). .… …
The JWT Format: creating a token PentesterLab.com / @PentesterLab • Create the JSON header and base64 encode it • Create the JSON payload and base64 encode it • Concatenate with a dot the (encoded) header and payload • Sign the result (header+.+payload) • Base64 encode the signature • Append a dot then the signature
The JWT Format: verifying a token PentesterLab.com / @PentesterLab • Split the token in three parts based on the dots • Base64 decode each part • Parse the JSON for the header and payload • Retrieve the algorithm from the header • Verify the signature based on the algorithm • Verify the claims
Classic JWT attacks PentesterLab.com / @PentesterLab • None algorithm • Trivial secret • Algorithm confusion • Injection in the kid parameter • CVE-2018-0114 •
jku & x5u
jku and x5u PentesterLab.com / @PentesterLab • If you read some of the JWS RFC, you probably learnt about jku and x5u parameter for the headers • People are starting to use jku (JWK URL)
The JWT Format: jku&x5u PentesterLab.com / @PentesterLab Base64({"jku": "https://...", ...}) … . . … Base64({"x5u": "https://...", ...}) … . . …
The JWT Format: jwk PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "n": "oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4Kkq...vTF0FGw", "e": "AQAB", "alg": "RS256" } ] }
The JWT Format: x5c PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "x5c": "MIIDWDCCAkACCQCnE....fpye27SQbC2fBxebsek=", "alg": "RS256" } ] }
jku and x5u PentesterLab.com / @PentesterLab Application Trusted Server User
Application Trusted Server User HTTP Request with JWT1 jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
Fetching of the JWK based on the “jku” header Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Attacker Fetching of the malicious JWK based on the “jku” header
jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2 3 Attacker Fetching of the malicious JWK based on the “jku” header
jku and x5u PentesterLab.com / @PentesterLab Turns out filtering URLs is incredibly hard
jku and x5u : regular expression PentesterLab.com / @PentesterLab https://trusted.example.com => https://trustedzexample.com
jku and x5u : starts with PentesterLab.com / @PentesterLab https://trusted => https://trusted@pentesterlab.com https://trusted/jwks/ => https://trusted/jwks/../file_uploaded https://trusted/jwks/ => https://trusted/jwks/../open_redirect https://trusted/jwks/ => https://trusted/jwks/../header_injection
3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server HTTP Request with malicious JWT1 Malicious Server 3 Fetching of the JWK based on the “jku” header Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the malicious JWK5 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the JWK from the header injection 5 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
Libraries: jku header injection - Exploitation PentesterLab.com / @PentesterLab Exploitation: • Find a Header Injection • Use the Header Injection to return your JWK • Add the Header Injection as jku • Sign the token with your RSA key
jku and x5u: downgrade PentesterLab.com / @PentesterLab • The RFC calls out enforcing TLS to avoid MITM • Few implementations get it wrong: Enforcing when you set the value vs Enforcing when you fetch the key
Conclusion
Recommendations PentesterLab.com / @PentesterLab ✓ Use strong keys and secrets ✓ Don’t store them in your source code ✓ Make sure you have key rotation built-in
Recommendations PentesterLab.com / @PentesterLab ✓ Review the libraries you pick (KISS library) ✓ Make sure you check the signature ✓ Make sure your tokens expire ✓ Enforce the algorithm
Recommendations PentesterLab.com / @PentesterLab ✓ Test for x5u and jku ✓ Don't burn Open Redirect ✓ Read RFC ✓ Hack all the things!
Conclusion PentesterLab.com / @PentesterLab • JWT are complex and kind of insecure by design (make sure you check https://github.com/paragonie/paseto) • JWT libraries introduce very interesting bugs • Make sure you test for those if you write code, pentest or do bug bounties
Any questions? FOR YOUR TIME ! THANKS louis@pentesterlab.com / PentesterLab.com / @PentesterLab

Recommandé

Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwtJaya Kumar Kondapalli
 

Recommandé

Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwtJaya Kumar Kondapalli
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
五行完成網頁多國語系
五行完成網頁多國語系五行完成網頁多國語系
五行完成網頁多國語系amostsai
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf한 경만
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
JSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebJSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebGregg Kellogg
 
ログイン前セッションフィクセイション攻撃の脅威と対策
ログイン前セッションフィクセイション攻撃の脅威と対策ログイン前セッションフィクセイション攻撃の脅威と対策
ログイン前セッションフィクセイション攻撃の脅威と対策Hiroshi Tokumaru
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務升煌 黃
 
Client Side Monitoring With Prometheus
Client Side Monitoring With PrometheusClient Side Monitoring With Prometheus
Client Side Monitoring With PrometheusWeaveworks
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 

Contenu connexe

Tendances

Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
五行完成網頁多國語系
五行完成網頁多國語系五行完成網頁多國語系
五行完成網頁多國語系amostsai
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf한 경만
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
JSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebJSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebGregg Kellogg
 
ログイン前セッションフィクセイション攻撃の脅威と対策
ログイン前セッションフィクセイション攻撃の脅威と対策ログイン前セッションフィクセイション攻撃の脅威と対策
ログイン前セッションフィクセイション攻撃の脅威と対策Hiroshi Tokumaru
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務升煌 黃
 
Client Side Monitoring With Prometheus
Client Side Monitoring With PrometheusClient Side Monitoring With Prometheus
Client Side Monitoring With PrometheusWeaveworks
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 

Tendances (20)

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
五行完成網頁多國語系
五行完成網頁多國語系五行完成網頁多國語系
五行完成網頁多國語系
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
JSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebJSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social Web
 
ログイン前セッションフィクセイション攻撃の脅威と対策
ログイン前セッションフィクセイション攻撃の脅威と対策ログイン前セッションフィクセイション攻撃の脅威と対策
ログイン前セッションフィクセイション攻撃の脅威と対策
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
 
Client Side Monitoring With Prometheus
Client Side Monitoring With PrometheusClient Side Monitoring With Prometheus
Client Side Monitoring With Prometheus
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 

Similaire à JWT: jku x5u

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXDocker, Inc.
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуляPositive Hack Days
 
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyJava EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyPeter Pilgrim
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimPayara
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8OPEN KNOWLEDGE GmbH
 
OpenStack Swift的性能调优
OpenStack Swift的性能调优OpenStack Swift的性能调优
OpenStack Swift的性能调优Hardway Hou
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Con fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhaktiCon fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhaktiBhakti Mehta
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from ScratchDenis Kolegov
 

Similaire à JWT: jku x5u (20)

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
 
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and NoteworthyJava EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
Java EE & Glass Fish User Group: Digital JavaEE 7 - New and Noteworthy
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
 
OpenStack Swift的性能调优
OpenStack Swift的性能调优OpenStack Swift的性能调优
OpenStack Swift的性能调优
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Con fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhaktiCon fess 2013-sse-websockets-json-bhakti
Con fess 2013-sse-websockets-json-bhakti
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
 

Plus de snyff

Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)snyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackerssnyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 

Plus de snyff (10)

Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Stronger
 

Dernier

Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Datingkojalkojal131
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceEscorts Call Girls
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiEscorts Call Girls
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceDelhi Call girls
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...SUHANI PANDEY
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 

Dernier (20)

Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 

JWT: jku x5u

  • 1. JWT jku&x5u = ❤ Attacking JSON WEB TOKENS… Louis Nyffenegger @PentesterLab louis@pentesterlab.com
  • 2. About me PentesterLab.com / @PentesterLab Security Engineer PentesterLab: Pentester/Code Reviewer/Security consultant/Security architect Platform to learn web security/penetration testing 100% Hands-on Available for individuals (free and PRO) and enterprises Run a website to help people learn security
  • 3. Who uses JWT? PentesterLab.com / @PentesterLab • A lot of people for OAuth2 • A lot of people for sessions • A lot of people to manage trust • A lot of people for password reset • A lot of people who care about being stateless and multi-datacenter architecture
  • 5. Signature vs Encryption PentesterLab.com / @PentesterLab Encryption gives you confidentiality Signature gives you integrity
  • 6. Multiple ways of signing PentesterLab.com / @PentesterLab • With a secret using HMAC • With a private key using RSA/EC/… (asymmetric)
  • 7. Signing with a secret PentesterLab.com / @PentesterLab Sign! Verify! Secret
  • 8. Signing: asymmetric PentesterLab.com / @PentesterLab Sign! PrivatePublic Verify!
  • 10. JavaScript Object Notation (JSON) PentesterLab.com / @PentesterLab Human readable format to store or transmit objects
  • 11. The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature 3 parts in a JSON Web Token:
  • 12. The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature Separated by a dot . .
  • 13. The Compact JWS Format PentesterLab.com / @PentesterLab eyJ0eXAiOiJK V1QiLCJhbGci OiJIUzI1NiJ9 eyJsb2dpbi I6ImFkb WluIn0 FSfvCBAwypJ4abF6 jFLmR7JgZhkW674 Z8dIdAIRyt1E Separated by a dot . . eyJ = Base64('{"')
  • 14. The Compact JWS Format PentesterLab.com / @PentesterLab Base64({…}) Base64({…}) Base64(…) Header and Payload are base64* encoded JSON . . * urlsafe base64 encoding without padding The signature is also base64 encoded
  • 15. The Compact JWS Format: Encoding PentesterLab.com / @PentesterLab Urlsafe base64 encoding without padding: *https://tools.ietf.org/html/rfc7515#appendix-C
  • 16. The JWT Format: header PentesterLab.com / @PentesterLab Base64({"alg": "HS256", "typ": "JWS"}) The header contains an algorithm “alg” attribute: In this example HMAC with SHA256 was used To tell how the token was signed. … . . …
  • 17. The JWT Format: Algorithms PentesterLab.com / @PentesterLab A lot of different algorithms are supported*: None * https://jwt.io/ covers most HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512
  • 18. The JWT Format: payload PentesterLab.com / @PentesterLab … The payload may contain literally anything: Base64({"user":"admin", "roles": ["adm","users"]}). . …
  • 19. The JWT Format: payload PentesterLab.com / @PentesterLab The payload may contain registered claims: Base64({"user":"admin", "exp":12…, "iat":1234.. }). .… …
  • 20. The JWT Format: creating a token PentesterLab.com / @PentesterLab • Create the JSON header and base64 encode it • Create the JSON payload and base64 encode it • Concatenate with a dot the (encoded) header and payload • Sign the result (header+.+payload) • Base64 encode the signature • Append a dot then the signature
  • 21. The JWT Format: verifying a token PentesterLab.com / @PentesterLab • Split the token in three parts based on the dots • Base64 decode each part • Parse the JSON for the header and payload • Retrieve the algorithm from the header • Verify the signature based on the algorithm • Verify the claims
  • 22. Classic JWT attacks PentesterLab.com / @PentesterLab • None algorithm • Trivial secret • Algorithm confusion • Injection in the kid parameter • CVE-2018-0114 •
  • 24. jku and x5u PentesterLab.com / @PentesterLab • If you read some of the JWS RFC, you probably learnt about jku and x5u parameter for the headers • People are starting to use jku (JWK URL)
  • 25. The JWT Format: jku&x5u PentesterLab.com / @PentesterLab Base64({"jku": "https://...", ...}) … . . … Base64({"x5u": "https://...", ...}) … . . …
  • 26. The JWT Format: jwk PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "n": "oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4Kkq...vTF0FGw", "e": "AQAB", "alg": "RS256" } ] }
  • 27. The JWT Format: x5c PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "x5c": "MIIDWDCCAkACCQCnE....fpye27SQbC2fBxebsek=", "alg": "RS256" } ] }
  • 28. jku and x5u PentesterLab.com / @PentesterLab Application Trusted Server User
  • 29. Application Trusted Server User HTTP Request with JWT1 jku and x5u PentesterLab.com / @PentesterLab
  • 30. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 jku and x5u PentesterLab.com / @PentesterLab
  • 31. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  • 32. Fetching of the JWK based on the “jku” header Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 jku and x5u PentesterLab.com / @PentesterLab
  • 33. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  • 34. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  • 35. jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Attacker Fetching of the malicious JWK based on the “jku” header
  • 36. jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2 3 Attacker Fetching of the malicious JWK based on the “jku” header
  • 37. jku and x5u PentesterLab.com / @PentesterLab Turns out filtering URLs is incredibly hard
  • 38. jku and x5u : regular expression PentesterLab.com / @PentesterLab https://trusted.example.com => https://trustedzexample.com
  • 39. jku and x5u : starts with PentesterLab.com / @PentesterLab https://trusted => https://trusted@pentesterlab.com https://trusted/jwks/ => https://trusted/jwks/../file_uploaded https://trusted/jwks/ => https://trusted/jwks/../open_redirect https://trusted/jwks/ => https://trusted/jwks/../header_injection
  • 40. 3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 41. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server HTTP Request with malicious JWT1 Malicious Server 3 Fetching of the JWK based on the “jku” header Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 42. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 43. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 44. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 45. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the malicious JWK5 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  • 46. 3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 47. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 48. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 49. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 50. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the JWK from the header injection 5 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  • 51. Libraries: jku header injection - Exploitation PentesterLab.com / @PentesterLab Exploitation: • Find a Header Injection • Use the Header Injection to return your JWK • Add the Header Injection as jku • Sign the token with your RSA key
  • 52. jku and x5u: downgrade PentesterLab.com / @PentesterLab • The RFC calls out enforcing TLS to avoid MITM • Few implementations get it wrong: Enforcing when you set the value vs Enforcing when you fetch the key
  • 54. Recommendations PentesterLab.com / @PentesterLab ✓ Use strong keys and secrets ✓ Don’t store them in your source code ✓ Make sure you have key rotation built-in
  • 55. Recommendations PentesterLab.com / @PentesterLab ✓ Review the libraries you pick (KISS library) ✓ Make sure you check the signature ✓ Make sure your tokens expire ✓ Enforce the algorithm
  • 56. Recommendations PentesterLab.com / @PentesterLab ✓ Test for x5u and jku ✓ Don't burn Open Redirect ✓ Read RFC ✓ Hack all the things!
  • 57. Conclusion PentesterLab.com / @PentesterLab • JWT are complex and kind of insecure by design (make sure you check https://github.com/paragonie/paseto) • JWT libraries introduce very interesting bugs • Make sure you test for those if you write code, pentest or do bug bounties
  • 58. Any questions? FOR YOUR TIME ! THANKS louis@pentesterlab.com / PentesterLab.com / @PentesterLab