In this talk, we will explore algorithm confusion attacks against JSON Web Tokens (JWTs). We will begin with a brief introduction to JWTs and the concept of algorithm confusion, explaining how these attacks can compromise application security. A significant portion of the session will focus on source code analysis, examining various libraries and their approaches to preventing algorithm confusion. By reviewing vulnerable code from real codebases, we will demonstrate the conditions that enable these exploits.

Additionally, we will cover exploitation in detail with live demos, showcasing how attackers can exploit these vulnerabilities in practice. This hands-on approach will equip attendees with practical insights to identify and mitigate such threats in their own applications. Attendees will also gain a deeper understanding of what mitigations may be effective for other security issues beyond JWTs.