• Infosec In the City (IIC)

JSON Web Token (JWT) Security: Attacking the Guardian — by Shivam Bathla

SINCON 2020 Conference Insights Track


Day 1 (2 Jan 2021)

1.30pm—2.15pm

@ Main Stage


[SINCON 2020 Conference Full Schedule]


Abstract

REST APIs are the new and flexible way of making interactions over the web. Since HTTP is inherently stateless and in order to authorize a request, "something" is needed to assure its validity! JSON Web Token (JWT) is one of the standards that can be used for this purpose. JWT standard is used for creating tokens that assert some number of claims e.g. a logged-in user, user role. And, as more websites and applications are moving to use REST APIs, it is important for a security practitioner to understand JWT security risks, attacks, and defense.


This talk will take you through various security risks of JWT, including confidentiality problems, vulnerabilities in algorithms and libraries, token cracking, token sidejacking, and more. It will also cover the common mistakes and best practices related to the JWT implementation.


About Shivam Bathla

SHIVAM BATHLA is a Security Researcher at Pentester Academy and Attack Defense. He is a developer turned Security Researcher. He has presented his research at ROOTCON 13. His main areas of interest are Web Application Security, Reverse Engineering, Malware Analysis, Vulnerability Research, and Cloud Security. He loves programming in C, Python, and Assembly.

125 views0 comments