Introduction to JWT Attacks

👩‍🎓👨‍🎓 Learn about JSON Web Token (JWT) vulnerabilities. This video provides an introduction to JWT's; what are they? How are they formatted? What's a JWT signature? What are JWS's and JWE's? What are JWT attacks? What impact do they have? How do the vulnerabilities arise? How can we work with JWTs (jwt.io, CyberChef, burp, jwt_tool etc). This theory-focused video will offer some fundamental background knowledge that will assist in the practical labs, covered in future videos 🔜 Overview: 0:00 Intro 0:46 JWT Attacks 1:13 What are JSON Web Tokens? 1:43 JWT Format 2:26 JWT Signature 2:57 JWT vs JWS vs JWE 3:35 Impact/Cause of JWT Vulnerabilities 4:44 JWT Tampering Demo (Python) 7:00 Working with JWTs (jwt.io, CyberChef) 9:10 Automating Attacks Against JWTs (jwt_tool) 12:34 Burp Extensions (JSON Web Tokens + JWT Editor) 15:57 Conclusion For more information, check out https://portswigger.net/web-security/jwt 🔗 @PortSwiggerTV labs: https://portswigger.net/web-security/all-labs#jwt 🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register 👾 Join our Discord - https://go.intigriti.com/discord 🎙️ This show is hosted by https://twitter.com/_CryptoCat ( @_CryptoCat ) & https://twitter.com/intigriti 👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com 🐍 Python scripts demonstrated in this series can be found here: https://github.com/Crypto-Cat/CTF/tree/main/web/WebSecurityAcademy/jwt 📚 Additional resources 📚 https://jwt.io https://gchq.github.io/CyberChef https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens https://portswigger.net/burp/documentation/desktop/testing-workflow/session-management/jwts https://github.com/ticarpi/jwt_tool/wiki