Articles in category: Security
After the successful experience of having a code challenge in March 2024, we decided to go further in delivering experiences to our colleagues.
Scouting around, I turned to Alessio Giorgianni, a developer with a passion for white hat hacking competition. We agree to try an experience using a platform called Hack the Box. Hack the Box Academy offers lots of information and training about IT Security and, in our case, some exercises we can use for hacking dummy applications, with a whitebox example (i.e., an example where all the code is undisclosed to us. There are also different kind of pentest). We agreed upon using a non-trivial quest, called Jerrytok. Jerrytok is a WAPT (Web App Penetration Testing) whitebox challenge. We got a simple web-application, written in PHP, which disclose the harm of using template engines in a not-proper way. It’s a good introduction to SSTI, Server Side Template Injection.
When I started my study about JWT, I was searching for a smart method to authenticate a request, without querying the database each time to check the applicant reliability.
I needed a token or something similar with the ability to validate itself and flexible enough to customize the validation strategy.
Imagine for example a web application where a user can login and obtain a “pass” with his name and an expiration time, and this pass will let him ask for resources until the pass expires, and only if the issuer is trusted.
Thanks to JWT’s self verification capabilities, I could discard every request where the token is invalid (a fake token not signed by my application) or expired.
Beyond this specific use case, JWT can be also useful to securely transmit data to other applications.
Data protection is one of the major and recurrent problems in recent years: whether it is private information of users, or the company for which we work, the problem is always the same.
How to protect such data from any attackers who would - and could (!!) - be able to gain possession?
Before arriving at the solution of this problem, however, is right to split the series in at least two branches. In the wwww data can be “obtained” in two different moments: 1) as they pass over the network in packets, or 2) after their storing (eg. database or file) in one or more servers.
La protezione dei dati è uno dei problemi più sentiti e ricorrenti degli ultimi anni: che si tratti di informazioni private di utenti, o dell’azienda per cui lavoriamo, il problema è sempre lo stesso.
Come proteggere questi dati da eventuali malintenzionati che vorrebbero - e potrebbero(!!) - riuscire a entrarne in possesso ?
Prima di arrivare alla soluzione di questo problema però, è doveroso suddividere la casistica in almeno due rami. Nel mondo del web i dati possono essere “ottenuti” in due momenti differenti: 1) mentre transitano sulla rete sotto forma di pacchetti, oppure 2) successivamente al loro immagazzinamento (es. database o file) all’interno di uno o più server.
