Ten Years of JSON Web Token (JWT) and Preparing for the Future
https://self-issued.info/?p=2708
#HackerNews #JSONWebToken #JWT #TenYears #TechTrends #FuturePreparation
#JSONWebToken
Scott Arciszewski's post on How to Write a Secure JWT Library If You Absolutely Must: https://scottarc.blog/2023/09/06/how-to-write-a-secure-jwt-library-if-you-absolutely-must/
Follow the JWT (JSON Web Token) Rabbit, collect all 13 pieces, and share your badge! Itās all part of Oktaās Developer Days, taking place today and tomorrow.
#Auth0 #Okta #Identity #DigitalIdentity #authorization #authentication #online #conference #DevDay #DeveloperDay #JWT #JSONWebToken #ScavengerHunt
Here's the crate, FYI: https://github.com/JadedBlueEyes/jsonwebtoken. It's going pretty well.
I implemented support for RSA-PSS padding in my #JsonWebToken crate today. I feel no closer to understanding crypto at all.
Ding, dong, the CVE is dead! :partyparrot:
The JWT nodejs "vulnerability" from December, popularised at the start of January, has been recognised as a non-issue š«„
I'm really glad to see it gone. Hoping we get a rash of news stories to follow up on the torrent š that followed the Unit 42 blog...
I'm not sure if its removal was down to me raising an issue on the GitHub Advisory Database :omya_github: to ask for it to be removed.
#jwt #cve #errata #cve_2022_23529 #auth0 #unit42 #jsonwebtoken
Ziemlich gut und ausfĆ¼hrlich erklƤrt, wieso man JWT nutzen sollte: :scremcat: https://medium.com/swlh/why-do-we-need-the-json-web-token-jwt-in-the-modern-web-8490a7284482
In the recent weeks developer ecosystem parts seem be be the #InfoSec weak spot no 1.
And a lot of the events are "published" behind #noindex flags to SEO-optimize the Public Relations. "We take security seriously... until it's serious". That's bad practice, and it helps no one. Be transparent about the issues.
* #pytorch got backdoored (apparently it was a test / dependency confusion attack)
https://pytorch.org/blog/compromised-nightly-dependency/#how-to-check-if-your-python-environment-is-affected
* #CircleCI - automation holds secrets, compromised via a dev workstation. Customers have to change keys etc.
https://circleci.com/blog/jan-4-2023-incident-report/
* #Slack "breach" - they lost their code. Who knows what hardcoded secrets etc. they lost as well.
https://slack.com/intl/en-au/blog/news/slack-security-update
* #jsonwebtoken - part of many JavaScript based #oauth stacks. An Authentication Bypass here is a total failure.
https://security.snyk.io/package/npm/jsonwebtoken/4.0.0
* #datadog changes the #rpm gpg key due to the CircleCI issue. Which is proactive, and well thought of.
https://docs.datadoghq.com/agent/faq/circleci-incident-impact-on-datadog-agent/
* #x41 audited #git and they found severe vulns. This also affects CI systems, like #Jenkins or #GitHub Actions in some cases (if the Runner uses Git to build things).
https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/
What we learn: holistic #AppSec and Product Security has to look into these "mystical things" like the developer infrastructure, Software Bill Of Materials ( #sbom ), Continuous Integration etc. Things 99% of InfoSec professionals have 0 clue about.
In 2023 you should change that, and focus your training efforts there.
Online la seconda puntata del 2023 di #NINAsec !
Si parla degli impatti di #JsonWebToken e della sua vulnerabilitĆ , poi di #infostealers che stanno agitando le loro campagne malevole anche in Italia ā¤µļø
https://buttondown.email/ninasec/archive/bugs-in-jsonwebtoken-e-spyware-su-phishing-anche/
https://thehackernews.com/2023/01/critical-security-flaw-found-in.html# #InfoSec : #JWT : Severe #Security Flaw Found in "#jsonwebtoken" Library Used by 22,000+ Projects
I see reports about a #JsonWebToken vulnerability (CVE-2022-23529), claiming that RCE is possible. Maybe Iām the one missing something here, but how could this possibly be exploited? Is that even a valid vulnerability report?
In order to exploit the vulnerability, someone needs to define a malicious toString function on the key object. Well, if they can do that ā why do they need the library to call the function, canāt they do it themselves? They need to run JavaScript code on the server in order to create that function, meaning that the prerequisite for RCE isā¦ š„ā RCE!
There seems to be the assumption here that this key object can somehow be serialized along with the function, and then the library will deserialize it from some manipulated storage. But JSON doesnāt serialize function code, and neither does any other serialization format that JavaScript code might use.
Seriously, how is that going around in the news without anybody asking: is there a single realistic scenario where this CVSS score 7.6 (as assigned by the reporter) vulnerability could be abused?
Popular JWT cloud security library patches āremoteā code execution hole - It's remotely triggerable, but attackers would already have pretty deep network access if... https://nakedsecurity.sophos.com/2023/01/10/popular-jwt-cloud-security-library-patches-remote-code-execution-hole/ #cryptography #jsonwebtoken #jwt #rce
Schadcode-LĆ¼cke in JsonWebToken-Bibliothek bedroht 22.000 Software-Projekte
Aufgrund einer SicherheitslĆ¼cke in einer weitverbreiteten Bibliothek sind Open-Source-Projekte von unter anderem IBM und Microsoft verwundbar.
#JsonWebToken #Patch #Security #SicherheitslĆ¼cken #SoftwareBiblioheken #SupplyChainAttack #Update
Remote code execution bug discovered in the popular #JsonWebToken library
https://securityaffairs.com/140596/hacking/jsonwebtoken-library-rce.html
#securityaffairs #hacking
#jsonwebtoken High Severity Security #Vulnerability Found in "jsonwebtoken" #NPM Library (CVE-2022-23529). Attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted #JWT request. Update jsonwebtoken package to v9.0.0: https://thehackernews.com/2023/01/critical-security-flaw-found-in.html
JSON Web Token (JSON Web Encryption) Authentication with Kirby CMS 3 - In yet another recent project, Iām building a book proposal submission... https://blog.mhgbrown.is/posts/8b72bbdf90640d2cc4c60be189c43e353f766e18 #Dev #Kirby3 #Authentification #JSONWebToken by @mhgbrown@twitter.com
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst