Description
In this course, you will :
- learn everything there is to know about Json Web Tokens (JWT).
- JWT Implementation Weaknesses will be taught to students.
- Be taught a variety of practical JWT attacks.
- learn how to secure JWT deployments.
- learn how to perform REST API Security testing using JWT.
- learn how to use the HS256 and RS256 algorithms.
- learn how to use the Hash Based Message Authentication Code (HMAC).
- learn how to use RSA Digital Signatures.
- learn how to practise cryptographic algorithms using the openssl command line client.
Syllabus :
1. Introduction to JWT
- Custom Vulnerable APIs - Download
- What is JWT?
- JWT Structure
- Base64 vs Base64url encoding
- A word about JWT Signature
- How JWT works?
- API Documentation - Download
- JWT Demo
2. JWT indepth
- JWT Headers
- JWT Payload
- JWT Signature
- Understanding HS256
- HS256 Demo
- Understanding RS256
- RS256 Demo
- None Algorithm Demo
3. JWT - Command line Kung-Fu
- Manually creating HS256 Signature
- Generating RSA Keys using Openssl
- Manually creating RS256 Signature
4. JWT Attacks and Defenses
- Abusing None Algorithm - Demo
- Abusing None Algorithm using Burpsuite - Demo
- Signature Stripping Attack - Demo
- Bruteforcing HS256 Secret Key - Demo
- Substitution Attack - Demo
- Defenses