Talk

The Hacker's Guide to JWT Security

Conference
Security

JSON Web Token (JWT) is an open standard for creating tokens that assert some number of claims like a logged in user and his/her roles. JWT is widely used in modern applications as a stateless authentication mechanism. Therefore, it is important to understand JWT security risks, especially when broken authentication is among the most prominent security vulnerabilities according to the OWASP Top 10 list.

This talk guides you through various security risks of JWT, including confidentiality problems, vulnerabilities in algorithms and libraries, token cracking, token sidejacking, and more. In live demos, you’ll learn how to hijack a user account exploiting common security vulnerabilities on the client-side, on the server-side, and in transport.

You’ll also find out about common mistakes and vulnerabilities along with the best practices related to the implementation of JWT authentication and the usage of available JWT libraries.

Vulnerabilities
Security
Demo
JWT

Patrycja Wegrzynowicz

Yon Labs

Patrycja Wegrzynowicz is a software visionary and expert specialized in automated software engineering and Java technologies. She is the founder and CTO of Yon Labs, a start-up focused on automated detection and refactoring of software defects, including security vulnerabilities, performance and concurrency anti-patterns, and database issues. Patrycja is a regular speaker at major academic as well as industrial conferences, including JavaOne, Devoxx, JavaZone, OOPSLA, ASE, and others. She has been named as one of Top 10 Women in Tech in Poland 2016 by Girls in Tech. Patrycja’s interests focus on patterns and anti-patterns in software along with automated software engineering, particularly static and dynamic analysis techniques to support program verification, comprehension, and optimization.

Talks by tracksTalks by session typesList of SpeakersSchedule