On the Insecurity of JavaScript Object Signing and Encryption - AppSec EU 2017

Explore the critical security vulnerabilities in JavaScript Object Signing and Encryption (JOSE) in this 45-minute conference talk from AppSec EU 2017. Delve into the first comprehensive study on JSON security, adapting and extending known attack techniques. Discover the evaluation of four different libraries, revealing critical cryptographic attacks such as Signature exclusion, Key Confusion, and Timing Attack on HMAC for JSON Signature, as well as the Bleichenbacher Million Message Attack for JSON Encryption. Learn about JOSEPH, the first open-source automated tool for evaluating JSON security, and its extensible design for implementing further cryptographic attacks. Gain valuable insights into the security implications of JOSE's integration in authentication and authorization protocols like OpenID Connect and OAuth, as well as its adoption in Web services.