So much information about testing webapps for security problems is old. Don't get me wrong, the old stuff still works way more often than we'd like, but there's more to webapp vulnerabilities than cross-site scripting and SQL injection.
Take JWTs - JSON Web Tokens - for example. These are base64 encoded tokens that sometimes get written to your browser's localStorage or sessionStorage and passed around in cookies or HTTP headers. They're pretty common in authentication and authorization logic for web APIs.
Because they're encoded, they look like gibberish and it's easy to skip over them during a test. For the same reason, they're more complicated to attack. First you have to notice them. Then you have to decode them. Then you need to interpret the decoded data inside them. THEN, you have to decide what to attack! Once you've done that, you still have to create your payload, make valid JSON out of it and rebuild the JWT before you can send it.
It's kind of a lot.In this Black Hills Information Security webcast - an excerpt from his upcoming 16-hour Modern Webapp Pentesting course - BB King will talk about what JSON Web Tokens are, why they're so controversial, and how to test for their major weaknesses. Then, using OWSAP's Juice Shop as a target, he'll show you a straightforward method for exploiting them that you can use on your own next webapp pentest.
