Using and Abusing JSON Web Tokens: The road to authentication bypass by Bozidar Spirovski and Wekoslav Stefanovski
JSON Web Tokens are everywhere – you are using a bunch of them right now when you log in to almost anything on the Internet. It’s such a common technology, yet, it’s very easy to get them wrong. In this workshop, we get to the nitty gritty of JWT’s – what they are, how they work, and how to make sure that we haven’t made an app that’s just waiting to be hacked.
The workshop’s goal is to make developers and security teams aware of the pitfalls accompanying JWT’s by delving deep into some scenarios of real cases where JWT’s were used improperly making them susceptible to hacking. In our experience, improper implementation of JWTs is extremely commonplace since JWT’s are often associated with magical thinking, i.e. “I’m using JWT’s so I’m secure”.
JWT’s are a powerful tool, and like all powerful tools it should be used carefully, with full understanding of what it does and how to be safe while using it.
This will be a hands-on workshop, where people will be able to literally hack and abuse various ‘mishaps’ in implementing JWTs in authentication and authorization. And we will try to remedy some of these errors live, with the audience. The examples will be in Python and JavaScript.
