Louis Nyffenegger
Founder at PentesterLab
Melbourne, Australia
Actions
Louis Nyffenegger is a renowned application security expert and the founder of PentesterLab, a leading platform for hands-on security training. With extensive experience in penetration testing, code review, and application security, Louis has worked at organizations like the National Bank of Australia, Australia Post, and Fitbit.
He has delivered talks at prestigious security conferences, including DEFCON, OWASP California, and BSides Canberra, sharing insights on web security, code review techniques, and the intricacies of penetration testing.
As the primary author of PentesterLab’s labs, Louis has designed practical, real-world exercises that help security professionals and developers master vulnerabilities and improve their skills. He also runs AppSecSchool, a YouTube channel dedicated to application security, and writes thought-provoking blog posts to inspire the security community.
Beyond his technical contributions, Louis is passionate about teaching and empowering others to build secure software. He believes in a hands-on approach to security education, emphasising real-world applications and meaningful learning experiences.
Area of Expertise
Topics
JWT Parkour
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens, Oauth tokens or just to pass information between applications or microservices. By design, JWT contains a high number of security and cryptography pitfalls that creates interesting vulnerabilities. In this workshop, we are going to learn how to exploit some of those issues. This includes the none algorithm, guessing the hmac secret...
JWT Parkour
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens, OAuth tokens or just to pass information between applications or microservices. By design, JWT contains a high number of security and cryptography pitfalls that creates interesting vulnerabilities. In this workshop, we are going to learn how to exploit some of those issues.
First, we are going to look at the old issues: the none algorithm, guessing/bruteforcing the hmac secret.
Then we will look at more recent issues like how an RSA public key can be computed from multiple signatures to exploit algorithm confusion and how the same attack can be done with ECDSA. We will also look at leveraging issues with the kid/jku/x5u. And finally how to leverage CVE-2022-21449 to bypass the signature mechanism.
Deep dive into JWT Algorithm Confusion
In this talk, we will explore algorithm confusion attacks against JSON Web Tokens (JWTs). We will begin with a brief introduction to JWTs and the concept of algorithm confusion, explaining how these attacks can compromise application security. A significant portion of the session will focus on source code analysis, examining various libraries and their approaches to preventing algorithm confusion. By reviewing vulnerable code from real codebases, we will demonstrate the conditions that enable these exploits.
Additionally, we will cover exploitation in detail with live demos, showcasing how attackers can exploit these vulnerabilities in practice. This hands-on approach will equip attendees with practical insights to identify and mitigate such threats in their own applications. Attendees will also gain a deeper understanding of what mitigations may be effective for other security issues beyond JWTs.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top