BiteSizedChunks.comLearn one small thing at a time.

Course contentsShow

738Multi-Factor Authentication Fundamentals
739Authentication Factor Categories
740TOTP and Time-Based One-Time Passwords
741HOTP and Counter-Based OTP
742SMS and Email-Based 2FA Weaknesses
743Authenticator Apps and Seed Management
744Hardware Security Keys and FIDO U2F
745FIDO2 and WebAuthn
746Push Notification-Based MFA
747Recovery and Backup Codes
748MFA Bypass Attacks and Weaknesses
749Implementing and Enforcing MFA
750Passwordless Authentication Fundamentals
751WebAuthn and FIDO2 Protocol
752Platform and Roaming Authenticators
753Magic Links and One-Time Codes
754Passkeys and Cross-Device Authentication
755Passwordless Security Trade-offs
756OAuth 2.0 Overview and Roles
757OAuth 2.0 Grant Types
758Authorization Code Flow Deep Dive
759PKCE (Proof Key for Code Exchange)
760OAuth 2.0 Tokens: Access and Refresh
761OAuth 2.0 Scopes and Consent
762OAuth 2.0 Redirect URI Validation
763State Parameter and CSRF Protection
764OAuth 2.0 Client Authentication
765Implicit Flow Deprecation and Risks
766OAuth 2.0 Token Endpoint Security
767OAuth 2.0 Common Vulnerabilities
768OAuth 2.0 Security Best Practices
769OpenID Connect Overview and Relationship to OAuth 2.0
770ID Tokens and JWT Structure in OIDC
771OIDC Authentication Flows
772UserInfo Endpoint and Claims Retrieval
773OIDC Discovery and Dynamic Registration
774ID Token Validation and Security
775OIDC Session Management and Single Logout
776SAML Architecture and Components
777SAML Authentication Flow
778SAML Assertions and Claims
779XML Signature Wrapping Attacks
780SAML Response Replay and Reuse
781SAML Message Validation
782SAML vs OAuth/OIDC Comparison
783SAML Security Best Practices
784JWT Structure and Encoding
785JWT Signature Algorithms
786The 'none' Algorithm Vulnerability
787Algorithm Confusion Attacks
788JWT Claim Manipulation
789Weak Secret Keys and Brute Force
790JWT Header Injection Attacks
791JWT Expiration and Revocation
792JWE (JSON Web Encryption)
793JWT Best Practices and Validation
794JWT Storage and XSS Risks

738Multi-Factor Authentication Fundamentals
739Authentication Factor Categories
740TOTP and Time-Based One-Time Passwords
741HOTP and Counter-Based OTP
742SMS and Email-Based 2FA Weaknesses
743Authenticator Apps and Seed Management
744Hardware Security Keys and FIDO U2F
745FIDO2 and WebAuthn
746Push Notification-Based MFA
747Recovery and Backup Codes
748MFA Bypass Attacks and Weaknesses
749Implementing and Enforcing MFA
750Passwordless Authentication Fundamentals
751WebAuthn and FIDO2 Protocol
752Platform and Roaming Authenticators
753Magic Links and One-Time Codes
754Passkeys and Cross-Device Authentication
755Passwordless Security Trade-offs
756OAuth 2.0 Overview and Roles
757OAuth 2.0 Grant Types
758Authorization Code Flow Deep Dive
759PKCE (Proof Key for Code Exchange)
760OAuth 2.0 Tokens: Access and Refresh
761OAuth 2.0 Scopes and Consent
762OAuth 2.0 Redirect URI Validation
763State Parameter and CSRF Protection
764OAuth 2.0 Client Authentication
765Implicit Flow Deprecation and Risks
766OAuth 2.0 Token Endpoint Security
767OAuth 2.0 Common Vulnerabilities
768OAuth 2.0 Security Best Practices
769OpenID Connect Overview and Relationship to OAuth 2.0
770ID Tokens and JWT Structure in OIDC
771OIDC Authentication Flows
772UserInfo Endpoint and Claims Retrieval
773OIDC Discovery and Dynamic Registration
774ID Token Validation and Security
775OIDC Session Management and Single Logout
776SAML Architecture and Components
777SAML Authentication Flow
778SAML Assertions and Claims
779XML Signature Wrapping Attacks
780SAML Response Replay and Reuse
781SAML Message Validation
782SAML vs OAuth/OIDC Comparison
783SAML Security Best Practices
784JWT Structure and Encoding
785JWT Signature Algorithms
786The 'none' Algorithm Vulnerability
787Algorithm Confusion Attacks
788JWT Claim Manipulation
789Weak Secret Keys and Brute Force
790JWT Header Injection Attacks
791JWT Expiration and Revocation
792JWE (JSON Web Encryption)
793JWT Best Practices and Validation
794JWT Storage and XSS Risks

Lesson 790 of 3,052·16. Web Security - Authentication MechanismsPro lesson

JWT Header Injection Attacks

Exploiting jku, jwk, and kid header parameters to inject malicious keys or trigger SSRF.

This lesson is for subscribers

You've completed the free preview. Subscribe to unlock every lesson in every course.

See pricing Back to course