07. Patrycja Wegrzynowicz - The Hacker's Guide to JWT Security | GopherConAU 2023

How to hijack a user account in a JWT app? How to exploit security vulnerabilities on the client-side, on the server-side, or in transport? In our live demos, you'll dive into these and other aspects of JWT security. JSON Web Token (JWT) is an open standard for securely transmitting information between parties as a JSON object. JWT is widely used in modern applications as a stateless authentication mechanism. Thus, it is important to understand JWT security risks, especially when broken authentication is among the most prominent security vulnerabilities according to the OWASP Top 10 list. This talk guides you through various security risks of JWT, including confidentiality problems, vulnerabilities in algorithms and libraries, token cracking, token sidejacking, and more. In live demos, you’ll learn how to hijack a user account exploiting common security vulnerabilities on the client-side, on the server-side, and in transport. You’ll also find out about common mistakes and vulnerabilities along with the best practices related to the implementation of JWT authentication and the usage of available JWT libraries in Go.