BSidesAugusta 2023

BSidesAugusta 2023

{JWT}.{Misuse}.&Abuse
2023-10-07 , Track 3

JWTs are an incredibly flexible tool that make life easier for developers because they are standardized, widely supported, and include important security features by default. However, like any powerful tool, JWTs can be dangerous when used incorrectly, or for unintended purposes. In this talk, I aim to shine a light on common JWT misuse and abuse. I'll start by briefly describing JWTs and common use cases for them. I'll then present real world scenarios of misuse and abuse from applications that I've tested as a consultant, and written as an engineer. As I present each scenario, I'll demonstrate the various features and failures live, and discuss how the specific implementation of JWTs can be hardened. The end result will be an enlightening and entertaining presentation of information and experience that will provide the viewer with a practical knowledge of how, and how not, to use JWTs.

Application Security Engineer with extensive experience in the information technology and security industries. Experience ranges from software development to full-scope penetration testing (red teaming) as both a technician and leader for both the United States Military and private industry. Currently specializing in application security as a trainer and practitioner of web application penetration testing and secure software development.