Hacking and Securing JSON Web Tokens (JWT)

Learn how to exploit insecure JWT implementations using practical exercises

4.46 (569 reviews)

Udemy

platform

English

language

Network & Security

What you will learn

Students will get Indepth knowledge about Json Web Tokens (JWT)

Students will learn JWT Implementation Weaknesses

Students will learn various practical JWT Attacks

Students will learn how to securing JWT Implementations

Students will learn how to do JWT based REST API Security testing

Students will learn how HS256 and RS256 Algorithms work

Students will learn how Hash Based Message Authentication Code (HMAC) works

Students will learn how RSA Digital Signatures work

Students will learn how to use openssl command line client to practice Cryptographic algorithms

Why take this course?

This course teaches various insecure implementations of Json Web Token (JWT) based REST APIs. This course begins by introducing students to the fundamental Json Web Token concepts. Even though, this is an entry level to intermediate level course, we encourage you to take this course if you already have basic Web Security knowledge as this course is designed to provide knowledge specific to Json Web Tokens and it does not cover the fundamentals of Web Security Testing and REST API Security Testing. Do note that the course involves a lot of JWT fundamental concepts and only the last module covers the practical attacks against JWT. So, please get your expectation right before jumping on the course. Rest Assured, you will feel confident about Json Web Tokens and JWT Security testing after completing this course.

As a bonus, a Virtual Machine is provided with all the source code used in the labs. So, you can change the code to have few more vulnerable implementations of JWT.

Screenshots

Hacking and Securing JSON Web Tokens (JWT) - Screenshot_01

Hacking and Securing JSON Web Tokens (JWT) - Screenshot_02

Hacking and Securing JSON Web Tokens (JWT) - Screenshot_03

Hacking and Securing JSON Web Tokens (JWT) - Screenshot_04

Reviews

Kevin

September 15, 2023

The lab server instructions are incomplete. Troubleshooting was required to get the network of the VM running.

Miguel

August 15, 2023

gracias a este curso entendí muy bien como funciona jwt. Algo que no había logrado con información variada en internet.

Anna

August 1, 2023

This was a great course, it's worth buying, it's explained quickly, and very clearly. The only reason I didn't give it 5 stars is because the setup instructions for the lab are not very clear, but the information itself is excellent.

Michele

June 13, 2023

Bel corso ! Avrei potuto dare una valutazione anche migliore se: 1) io avessi una migliore comprensione della lingua Inglese 2) l'insegnante avesse una pronuncia migliore Purtroppo i sottotitoli automatici (in Inglese) certe volte non riuscivano a tradurre correttamente ciò che diceva l'insegnante; l'aggiunta di sottotitoli in Inglese (e magari anche in Italiano !) potrebbe rendere questo corso sicuramente più comprensibile

Ankur

May 18, 2023

The course is really very good, must have it on your paid course list. The author has been engaging. The coding content is in PHP. I would appreciate it if that was in Node.js Or Go Or Rust, etc. But still, the course is worth every penny. I would suggest the author also update encryption algorithms like RSA - ['RS384', 'RS512'] OR EC - ['ES256', 'ES384', 'ES512'] for knowledge purposes. The author should focus more on the payload part of the JWT, and emphasis more importance of each what to be put as mandatory action and best practice. The author can also add how to have a production-grade deployment of JWT and best practices apart from attacks and defenses covered which is awesome.

April 3, 2023

I thought it would be a nice course, but the basics are not here. Before hacking a token, you should inform how to catch tokens or how to be able to see a weakness. e.g. how to scan if a php has a none or a double system for JWT. So the basics are NOT shown, which means, the course has not a lot of value

Rajaramesh

December 30, 2022

He only used decode method and didn't use verify method, of course it will be able to decode if ALG is none. very bad course, I guess my hope was high

Marcos

December 14, 2022

JWT is covered very well but in my opinion the instructor should: 1) add more resources 2) include the php code to download 3) use docker instead of virtualbox

November 9, 2022

Instructor got to the content quickly and efficiently, sample code was very nice addition. Highly recommend.

Kyle

September 16, 2022

Course requires some background knowledge of APIs and/or network calls. Covers the uses of JWTs very well along with how to attack/defend them. All necessary knowledge regarding JWTs is included in the course.

Harry

July 24, 2022

I really love the course, it's short and focuses on what's important. hoping for other great content like this.

Jani

July 19, 2022

It was not an easy course to follow. Yes, we have to make the effort to study and understand, the instructor should help us to do it in less time possible. In my opinion the instructor should: - spend some more time for introducing the environment setup, as we can focus on the real topics of the course - the examples should be more clear and easy to follow

Henrique

June 27, 2022

Very poor lab setup as in no network adapter info so I couldn't even open the website hosted on the server. The SSH is only to see the source code of the website, so, little effort there. And it's just repetitive. You always do the same things over and over and not even give an opportunity or a pause for the users to do the steps themselves. Could even use a step by step tutorial, from zero to fully exploited and brute-forced JW Tokens. Very disappointing overall and time wasting.

Ivan

April 24, 2022

Course is short and good. Attacks were a bit disappointing and didn’t look real. Also confused by requirement to download virtual image with sample code. It was so hard to make it work, but it was useless after all - watching video is just enough

Roland

December 10, 2021

The course is successful in that I learned how AWT works in principle, and points you to a few simple attack points you should avoid. Thank you especially for the HS256 attack via RSA public key. I would have liked more information about how to use GET requests in a secure way (avoid clients logging credentials or tokens etc.). Personally, I would also recommend to find a way to do the excercises without the need to download and install 8GB(!) of software beforehand.

Charts

Price

Rating

Enrollment distribution

Hacking and Securing JSON Web Tokens (JWT) - Distribution chart