Topic: JWT Parkour
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls.
In this presentation we will learn how to exploit (with demos) some of these issues in using JWT. After covering the basics (None and Algorithm confusion), we will move onto kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.
Speaker: Louis Nyffenegger - Founder, PentesterLab
Louis is a security engineer based in Melbourne, Australia where he performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for web penetration testing. Recently, Louis talked at Owasp AppsecDay Melbourne, BSides Canberra (one of the biggest BSides) and ran 2 workshops at Defcon 2018.
At the end of the presentation, there will be an opportunity for participants to ask questions via the Q&A box to the speaker.
This webinar is free and only available to AISA Members, please click here to register online
Non AISA Members: If you would like to become an AISA member you can join here
For any queries regarding this event, please contact AISA Event & Sponsorship Manager, Susanna Palermo via email [email protected] or visit our website www.aisa.org.au
AISA has evaluated the use of Zoom based on the Traffic
Light Protocol which was facilitated for greater information
sharing. AISA webinars are considered TPL White as the information
contains minimal or no foreseeable risk of misuse. In addition AISA has evaluated the
use of Zoom for this purpose as aligned to ACSC
Web Conferencing Security, April 2020, see link at https://www.cyber.gov.au/publications/web-conferencing-security
and has impelled controls to minimise risks. You are required to register for the webinar via the Zoom