
Explore the course structure from a basic JWT introduction and lab setup to in-depth token creation, validation, and command-line generation using HS 256 and RS 256 plus attacks and defenses.
Set up the lab for hacking and securing JWTs by configuring VirtualBox with Kali Linux and the secure store JWT VM. Use Postman and OpenSSL to practice with JWTs.
Explain how the header and payload encode, and how the signature is produced using cryptographic algorithms like HS 256 and RS 256 in json web tokens.
Explains how a client obtains a JWT from an authorization server after authenticating with credentials, and how resource servers verify the token’s integrity, guarding access against tampered tokens.
Watch a JWT demo using Postman to log in, obtain a bearer token, and request credit card data from a secure store, showing tampering causes signature verification to fail.
Understand JSON web tokens by examining header, payload, and signature, where header and payload are base64-encoded, not encrypted, so avoid sensitive information and use the signature to validate the payload.
Explore how the JWT signature combines header, payload, and a key with an algorithm to prevent tampering, focusing on HS 256 and RS 256.
Learn how HS256 uses sha-256 hmac to sign json web tokens by combining base64 header and payload with a shared secret. Recognize risks from key distribution, server compromise, and tampering.
Explain how RS256 signs the JWT header and payload with RSA private key and SHA-256 hashing to form a digital signature, verified by public keys on resource servers.
Generate a 2048-bit RSA private key and its public key with OpenSSL, saving them in the rsa keys directory, and learn how RSA 256 signatures use the private key.
Manually create an RS256 signature for a JSON Web Token using the command line, OpenSSL, and base64url encoding of the JWT header and payload with sha-256.
Explore attacks on insecure json web tokens implementations, including nun algorithm, signature stripping, cracking weak shared secrets, and substitution attacks, with practical demos and a lab setup.
Demonstrates abusing the none algorithm in jwt tokens by tampering the payload to impersonate admin and reveal the admin's credit card number, illustrating how missing signature checks enable token forgery.
We demonstrate a signature stripping attack on JSON web tokens, showing how tampering header and payload to none can access the admin credit card number.
Demonstrates cracking weak HS256 shared secrets using a JWT cracker to forge valid tokens and signatures, highlighting the security risks of HS256 and the importance of strong shared keys.
Demonstrate a substitution attack on json web tokens by altering header and payload to admin, and explain how public-key verification and algorithm choices affect token validity.
defend jwt tokens by whitelisting algorithms, avoiding none type, using separate decoding functions for rs256 and hs256 to prevent signature stripping and substitution attacks, and using strong shared secrets.
This course teaches various insecure implementations of Json Web Token (JWT) based REST APIs. This course begins by introducing students to the fundamental Json Web Token concepts. Even though, this is an entry level to intermediate level course, we encourage you to take this course if you already have basic Web Security knowledge as this course is designed to provide knowledge specific to Json Web Tokens and it does not cover the fundamentals of Web Security Testing and REST API Security Testing. Do note that the course involves a lot of JWT fundamental concepts and only the last module covers the practical attacks against JWT. So, please get your expectation right before jumping on the course. Rest Assured, you will feel confident about Json Web Tokens and JWT Security testing after completing this course.
As a bonus, a Virtual Machine is provided with all the source code used in the labs. So, you can change the code to have few more vulnerable implementations of JWT.