Unfortunately, due to an unexpected delay in the visa process, Mazin Ahmed had to cancel his talk at Security Fest. JWT (JSON Web Token) is a popular authentication protocol for delivering stateless authentication. It has been highly popular in recent years because of its simplicity, performance, and the level of security it provides. The protocol is highly adapted for sessioning, authentication and authorization. However, a single mistake in the implementation can lead to the compromise of the entire application. In my presentation, I will show common implementation weaknesses observed in the wild, how to test and break JWT authentication, as well as demonstrate practical approaches for securing JWT against each described attack. In addition, I will release an open-source toolkit for testing JWT in modern applications.
Presented at Security Fest 2019.Speaker: Mazin Ahmed
Security Engineer, ProtonMail Mazin is a security consultant who specializes in web-application and mobile-application security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle to name a few. Mazin is the developer of a number of popular open-source security tools that has been integrated into security testing frameworks and distributions. Furthermore, Mazin's research of WAF security has earned the 4th place on top web hacking techniques of 2015 award. Mazin also founded FullHunt, the next-generation vulnerability-intelligence platform.