Three New Attacks Against JSON Web Tokens

5,748

185 0

Published 2023-12-21

JSON Web Tokens (JWTs) have become omnipresent tools for web authentication, session management and identity federation. However, some have criticized JWT and associated Javascript Object Signing and Encryption (JOSE) standards for cryptographic design flaws and dangerous levels of unnecessary complexity. These have arguably led to severe vulnerabilities such as the well-known "alg":"none" attack....

By: Tom Tervoort

Full Abstract and Presentation Materials: www.blackhat.com/us-23/briefings/schedule/#three-n…