akto icon indicating copy to clipboard operation
akto copied to clipboard

Published 20 hours ago β€’ verified publisher icon akto-api-security

πŸ“ƒ Write a blog post about JWT None algo attack using Akto

Open Ankita28g opened this issue 2 years ago β€’ 12 comments

πŸ’­ Introduction

Akto is an open source API security product.

Your task is to write a blog post about testing for JWT None Algo attack using Akto.

🎯 Requirements

  • Your article has to be publicly available.
  • Your article must tag Akto in any way (hashtag, embedded, link...).
  • Your article should be at least 1000 words long.
  • Your article should look nice. πŸ‘€ Use titles, subtitles, screenshots, images, gifs, or even memes.
  • The blog has to be factually correct. Incorrect submission will be rejected.
  • You have to deep dive into the product by signup and using it.

βœ… Task summary:

  • [ ] Drop a comment on this issue indicating that you’re working on it.
  • [ ] Write a blog post with title How I tested for JWT None Algo attack using Akto?
  • [ ] Publish an article on your favorite platform or website. (Medium, Dev.to, Hashnode...)
  • [ ] Submit a pull request here.
  • [ ] Share your work on social media and tag https://github.com/akto-api-security/akto (Reddit / HackerNews / Twitter / Facebook / Linkedin)

πŸ™‹πŸΌβ€β™‚οΈ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

Ankita28g avatar Mar 06 '23 17:03 Ankita28g

This task can have multiple assignees.

Ankita28g avatar Mar 09 '23 08:03 Ankita28g

@Ankita28g I would like to work on this issue please assign it to me.

Asterwl avatar Mar 31 '23 15:03 Asterwl

Assigned to you @Aviraltech. Happy Hackfesting πŸŽ‰

Ankita28g avatar Mar 31 '23 16:03 Ankita28g

Hi @Aviraltech thanks for your submission in Hackfest. πŸ”₯ We are reviewing your work. Do these two below:

Join this group on discord for discussions around prizes? πŸš€ πŸ† Please fill this form your PR to be considered for prizes!

Ankita28g avatar Apr 11 '23 09:04 Ankita28g

This task can have multiple assignees.

Ankita28g avatar Oct 12 '23 06:10 Ankita28g

This looks interesting too!! how about you assign me this?

aayushii9602 avatar Oct 13 '23 16:10 aayushii9602

i would like to work on this

beneyalraj avatar Oct 13 '23 17:10 beneyalraj

@aayushii9602 and @beneyalraj assigned to both of you. Make sure you read the requirements before you start

Ankita28g avatar Oct 14 '23 12:10 Ankita28g

I've published a blog please let me know if its good https://medium.com/@beneyalraj03/how-i-tested-for-jwt-none-algo-attack-using-akto-951d555b903b

beneyalraj avatar Oct 15 '23 17:10 beneyalraj

@beneyalraj the blog looks good to me.

Some suggestions to make it better:

  1. In Step 2 (Identifying the Target Endpoint) it is not necessary to use PUT endpoint. Instead talk how to target endpoints with JWT token in request
  2. In Step 6 (Check the Attempt Tab for the Modified Token) hover on the "authorization" header to show how the token has changed. Maybe use jwt.io to show the none algorithm in the new token
  3. Talk about https://www.akto.io/test/jwt-none-algorithm in your blog. Akto has test library where anyone can test their API for JWT none algo vulnerability without signing up on Akto and highlight the simplicity of the approach

Make these changes and we are pretty much good to go.

avneesh-akto avatar Oct 19 '23 06:10 avneesh-akto

I have made the above changes in the blog post

beneyalraj avatar Oct 19 '23 20:10 beneyalraj

This looks awesome @beneyalraj. @Ankita28g can you also review this.

avneesh-akto avatar Oct 20 '23 04:10 avneesh-akto