JSON Web Token Flaws - Python AppSec (by Duo Sec) - Veracode Security Labs Community Edition (free)

Video walkthrough for part 6 (Key Flaws in JSON Web Tokens) of the "Python AppSec (by Duo Security)" topic in Veracode Security Labs Community Edition (free) - *Apologies in advance that this lab had major bugs when I was recording this video - I actually went back and manually generated the RSA private/public.pem for user1 but ran in to additional errors after that, hopefully they will fix the bugs soon xD* - Hope you enjoy anyway 🙂

↢Social Media↣
Twitter: https://twitter.com/_CryptoCat
GitHub: https://github.com/Crypto-Cat
HackTheBox: https://app.hackthebox.eu/profile/11897
LinkedIn: https://www.linkedin.com/in/cryptocat
Reddit: https://www.reddit.com/user/_CryptoCat23
YouTube: https://www.youtube.com/CryptoCat23
Twitch: https://www.twitch.tv/cryptocat23

↢Resources↣
https://www.veracode.com/events/hacker-games
https://securitylabs-ce.veracode.com/
https://snyk.io/blog/python-security-best-practices-cheat-sheet/
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens
https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3?gi=bd71d3a3b419
https://www.jsonwebtoken.io/

↢Chapters↣
Start - 0:00
Introduction to JSON Web Tokens - 0:24
The Structure of JWTs - 3:16
Using the "Users" API - 9:06
Bypass by changing "alg" to None - 13:57
Bypass by changing "alg" to HMAC (broken lab) - 19:00
Planning the Fix (super broken) - 26:34
Shifting to PyJWT - 30:18

Видео JSON Web Token Flaws - Python AppSec (by Duo Sec) - Veracode Security Labs Community Edition (free) канала CryptoCat