Presented at
DeepSec 2017 „Science First!“,
Unknown date/time
(Unknown duration)
JavaScript Object Notation (JSON) has evolved to the de-
facto standard file format in the web used for application
configuration, cross- and same-origin data exchange, as well
as in Single Sign-On (SSO) protocols such as OpenID Con-
nect. To protect integrity, authenticity and confidentiality
of sensitive data, JavaScript Object Signing and Encryp-
tion (JOSE) was created to apply cryptographic mechanisms
directly in JSON messages.
We investigate the security of JOSE and present different
applicable attacks on several popular libraries. We introduce
JOSEPH (JavaScript Object Signing and Encryption Pen-
testing Helper) - our newly developed Burp Suite extension,
which automatically performs security analysis on targeted
applications. JOSEPH's automatic vulnerability detection
ranges from executing simple signature exclusion or signa-
ture faking techniques, which neglect JSON message integrity,
up to highly complex cryptographic Bleichenbacher attacks
breaking the confidentiality of encrypted JSON messages. We
found severe vulnerabilities in six popular JOSE libraries.
We responsibly disclosed all weaknesses to the developers
and helped them to provide fixes.
Presenters:
-
Jörg Schwenk
- Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
T.B.A.
-
Vladislav Mladenov
- Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
T.B.A.
-
Christian Mainka
- Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
T.B.A.
-
Juraj Somorovsky
- Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
T.B.A.
-
Dennis Detering
- Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
T.B.A.
Links:
Similar Presentations: