AppSec EU 2017 On The (In-)Security Of JavaScript Object Signing And Encryption by Dennis Detering

JavaScript Object Signing and Encryption (JOSE) has been standardized as a lightweight alternative to XML Signature and Encryption. It has early been integrated in authentication and authorization protocols like OpenID Connect and OAuth. In addition, it has been adopted in Web services. In our research, we provide the first study regarding the JSON security adapting and extending known attack techniques. We provide an evaluation of four different libraries revealing critical cryptographic attacks, ranging from attacks bypassing JSON Signature (Signature exclusion, Key Confusion, and Timing Attack on HMAC), to JSON Encryption (Bleichenbacher Million Message Attack). To facilitate the analysis we developed JOSEPH - the first open-source automated tool for evaluating JSON security. The extensible design of JOSEPH allows one to implement further cryptographic attacks, for example, padding oracle or invalid curve attacks. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...

Join Today
AppSec EU 2017 Everything Is Quantum! by Jaya Baloo
▶︎

AppSec EU 2017 Everything Is Quantum! by Jaya Baloo

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker
▶︎

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker

MCP Deception Incubator — Honeytraps as a Framework for Zero Trust AI Environments track 2
▶︎

MCP Deception Incubator — Honeytraps as a Framework for Zero Trust AI Environments track 2

Building Security Into Developer Velocity: How We Made Entra Identity Compliance Invisible track 1
▶︎

Building Security Into Developer Velocity: How We Made Entra Identity Compliance Invisible track 1

It’s Giving Insecure Vibes: Secure Coding Literacy for Vibe Coders Track 1
▶︎

It’s Giving Insecure Vibes: Secure Coding Literacy for Vibe Coders Track 1

Harari and Tegmark on Humanity and AI
▶︎

Harari and Tegmark on Humanity and AI

Trump Preps for 80th Birthday, Threatens to Hit Iran, Knicks Historic Win & Elon Musk Trillionaire!?
▶︎

Trump Preps for 80th Birthday, Threatens to Hit Iran, Knicks Historic Win & Elon Musk Trillionaire!?

“The Developer First Security Mindset” Making Security a Product Feature, Not a Blocker
▶︎

“The Developer First Security Mindset” Making Security a Product Feature, Not a Blocker

LIVE: Conan O’Brien speaks at Harvard graduation ceremony (full)
▶︎

LIVE: Conan O’Brien speaks at Harvard graduation ceremony (full)

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup
▶︎

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

Something is jamming GPS over Europe. Here's what we found
▶︎

Something is jamming GPS over Europe. Here's what we found

The French Do Not Care About Work
▶︎

The French Do Not Care About Work

Exclusive Interview With Nvidia CEO Jensen Huang (Full Special)
▶︎

Exclusive Interview With Nvidia CEO Jensen Huang (Full Special)

What do tech pioneers think about the AI revolution? - The Engineers, BBC World Service
▶︎

What do tech pioneers think about the AI revolution? - The Engineers, BBC World Service

Most Leaders Don't Even Know the Game They're In | Simon Sinek
▶︎

Most Leaders Don't Even Know the Game They're In | Simon Sinek

Why Money, Success, and Pleasure Aren’t Enough
▶︎

Why Money, Success, and Pleasure Aren’t Enough

The Unity Tutorial For Complete Beginners
▶︎

The Unity Tutorial For Complete Beginners

SQL Course for Beginners [Full Course]
▶︎

SQL Course for Beginners [Full Course]

Why Sweden Is Becoming a Defense Powerhouse as Europe Rearms
▶︎

Why Sweden Is Becoming a Defense Powerhouse as Europe Rearms

How ASML Makes Chips Faster With Its New $400 Million High NA Machine
▶︎

How ASML Makes Chips Faster With Its New $400 Million High NA Machine