security never sleeps

Android Reversing to Find JWT Key

February 06, 2018

In the previous blog post, I discussed JWTs and their common vulnerabilities. There, I mentioned a recent engagement where I discovered an Android application signing JWTs using HS512 on the client side, which set in motion a hunt to find the symmetric key and forge modified JWTs. This blog post will cover the basic Android hacking techniques and methodology used along the way. If you are new to Android application testing, this blog post will be a great resource to learn from!

JWT Hacking 101

December 07, 2017

As JavaScript continues its quest for world domination, JSON Web Tokens (JWTs) are becoming more and more prevalent in application security.  Many applications use them, so it has become very important for me to know as much as I can and I want to share what I’ve learned. In this blog post I will discuss…

Code Featured on Mr. Robot (USA Network)

November 30, 2017

Last night’s episode of Mr. Robot (eps3.6_fredrick+tanya.chk) contained some code I wrote for a WebLogic deserialization vulnerability in my earlier blog post, Hands on with WebLogic Serialization Vulnerability. I still can’t quite believe it!   Chris Frohoff‏ (@frohoff ) the author of the “ysoserial” deserialization tool caught it and tagged me on Twitter. Much thanks to him…

All Posts