Android Reversing to Find JWT Key
February 06, 2018
In the previous blog post, I discussed JWTs and their common vulnerabilities. There, I mentioned a recent engagement where I discovered an Android application signing JWTs using HS512 on the client side, which set in motion a hunt to find the symmetric key and forge modified JWTs. This blog post will cover the basic Android hacking techniques and methodology used along the way. If you are new to Android application testing, this blog post will be a great resource to learn from!
JWT Hacking 101
December 07, 2017
Code Featured on Mr. Robot (USA Network)
November 30, 2017
Last night’s episode of Mr. Robot (eps3.6_fredrick+tanya.chk) contained some code I wrote for a WebLogic deserialization vulnerability in my earlier blog post, Hands on with WebLogic Serialization Vulnerability. I still can’t quite believe it! Chris Frohoff (@frohoff ) the author of the “ysoserial” deserialization tool caught it and tagged me on Twitter. Much thanks to him…