2025-08-04 –, Tuscany
Every day, billions of messages are signed with HMACs. We assume using HMAC is the way to gatekeep integrity and authenticity. But what happens when this cryptographic seal is misunderstood, misused, or just plain broken?
This talk will show you how HMAC is not just a cryptographic construction, but a misunderstood superhero in the authentication world. Join me in the unraveling where HMAC went wrong and where it got it right, through code demos, vulnerability breakdowns, and examples using Python and open-source tools, we’ll showcase how even mature systems could fall victim to these quiet flaws and how to spot them before attackers do.
This talk is the result of deep-dive research into HMAC vulnerabilities, misconfigurations, implementation flaws, and security failures that have led to authentication bypasses and exploited systems. HMAC is one of the most widely used cryptographic primitives in modern authentication, securing APIs, JWTs, and message integrity across countless applications. However, as my research has shown, it's also frequently misunderstood and misused in ways that introduce serious security risks.
I have explored multiple vulnerabilities in real-world HMAC implementations and analyzed how subtle mistakes can lead to authentication failures. This talk will focus on breaking down these weaknesses through pre-recorded demos, code reviews, and attack scenarios, all using open-source tools such as Python’s HMAC module, hash-extension attacks, and other exploitation techniques.
Tools & Resources:
• GitHub repo with PoC code and demos: https://github.com/HexxedBitHeadz/02-17-HMAC
• Python scripts for HMAC validation testing
• Custom Flask-based vulnerable app for exploitation demos
• Blog reference: https://hexxedbitheadz.com/unraveling-the-cryptographic-thread-of-hmac/
• OWASP cheat sheets – used for contrasting secure vs. flawed HMAC usage: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html
Marluan Cleary is a Penetration Tester and cybersecurity student passionate about breaking, building, and securing systems. She researches and documents real-world vulnerabilities through technical blogs at Hexxed BitHeadz, offering hands-on insights into tools, techniques, and emerging threats. Focused on cryptography, exploit development, and offensive security,