Sign up to save your podcasts
Or
Share Course 2 - API Security Offence and Defense | Episode 2: Authentication Methods and Security: Basic, Digest, and JSON Web Tokens (JWT)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 2 - API Security Offence and Defense | Episode 2: Authentication Methods and Security: Basic, Digest, and JSON Web Tokens (JWT)
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Authentication & Authorization Fundamentals:
- Authentication: Identifying the user.
- Authorization: Defining what actions an authenticated user can perform.
- Stateful vs. Stateless:
- Stateful: Session cookies store session data on the server.
- Stateless: Tokens are validated without server-side session storage.
- Basic and Digest Authentication:
- Basic Auth: HTTP-based, sends Base64-encoded credentials; vulnerable because Base64 is easily decoded.
- Digest Auth: Adds MD5 hashing with a nonce to protect credentials; less common.
- Attacks on Traditional Methods:
- MITM Attacks: Stealing credentials if HTTPS is not used.
- Brute Force: No retry limits enable guessing credentials.
- Logic Attacks (Wrong HTTP Methods): Unprotected HTTP methods allow bypassing auth.
- Configuration File Exploitation: Accessing .htpasswd or .htdigest and cracking hashes.
- Mitigation: Use HTTPS, enforce strong passwords, limit login retries, and protect all HTTP methods.
- Tokens, Cookies, and JWT:
- Cookies: Stateful; risks include XSS (if not HTTP Only), CSRF, and scalability issues.
- Tokens: Stateless; risks include XSS (if in local storage), CSRF (if in cookies), and non-revocable compromised tokens.
- JWT (JSON Web Token):
- Structure: Header (algorithm), Payload/Claim (user data, exp, issuer), Signature (verification).
- Generation: Signed using a secret key and chosen algorithm.
- Usage: Stateless API authentication, self-contained.
- JWT Attacks & Mitigation:
- Algorithm Bypass (None Attack): Modifying header to none can bypass verification.
- Algorithm Confusion (RS256 → HS256): Signing with public key due to server misconfiguration.
- Cracking Weak Secrets: Brute force or dictionary attacks on weak signing keys.
- Mitigation for JWT: Enforce strong random keys, backend-enforced algorithm validation, short token expiration, and HTTPS.
- Core takeaway: Modern web authentication requires careful design of state handling (cookies vs tokens), secure credentials, and robust JWT management to prevent bypasses, tampering, and data leaks.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Authentication & Authorization Fundamentals:
- Authentication: Identifying the user.
- Authorization: Defining what actions an authenticated user can perform.
- Stateful vs. Stateless:
- Stateful: Session cookies store session data on the server.
- Stateless: Tokens are validated without server-side session storage.
- Basic and Digest Authentication:
- Basic Auth: HTTP-based, sends Base64-encoded credentials; vulnerable because Base64 is easily decoded.
- Digest Auth: Adds MD5 hashing with a nonce to protect credentials; less common.
- Attacks on Traditional Methods:
- MITM Attacks: Stealing credentials if HTTPS is not used.
- Brute Force: No retry limits enable guessing credentials.
- Logic Attacks (Wrong HTTP Methods): Unprotected HTTP methods allow bypassing auth.
- Configuration File Exploitation: Accessing .htpasswd or .htdigest and cracking hashes.
- Mitigation: Use HTTPS, enforce strong passwords, limit login retries, and protect all HTTP methods.
- Tokens, Cookies, and JWT:
- Cookies: Stateful; risks include XSS (if not HTTP Only), CSRF, and scalability issues.
- Tokens: Stateless; risks include XSS (if in local storage), CSRF (if in cookies), and non-revocable compromised tokens.
- JWT (JSON Web Token):
- Structure: Header (algorithm), Payload/Claim (user data, exp, issuer), Signature (verification).
- Generation: Signed using a secret key and chosen algorithm.
- Usage: Stateless API authentication, self-contained.
- JWT Attacks & Mitigation:
- Algorithm Bypass (None Attack): Modifying header to none can bypass verification.
- Algorithm Confusion (RS256 → HS256): Signing with public key due to server misconfiguration.
- Cracking Weak Secrets: Brute force or dictionary attacks on weak signing keys.
- Mitigation for JWT: Enforce strong random keys, backend-enforced algorithm validation, short token expiration, and HTTPS.
- Core takeaway: Modern web authentication requires careful design of state handling (cookies vs tokens), secure credentials, and robust JWT management to prevent bypasses, tampering, and data leaks.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy