Yon Labs Security Project

Goal

Yon Labs Security Project Y-SEC aims at increasing awareness about web application security among developers, especially Java developers.

One learns from books and example only that certain things can be done. Actual learning requires that you do those things.

Frank Herbert

As actual learning requires doing, our goal is to provide a set of working demos on security vulnerabilities, available as open-source code for self-hosting and education as well as hosted applications for actual testing and hacking.

Security Topics

At the moment, we have the following topics covered:

JWT Security

• none algorithm in a token
• brute-force token cracking
• packet sniffing to steal a token
• XSS to steal a token

Cross-Site Scripting (XSS)

NoSQL Injection

Authentication and Session Management

• URL-rewriting to expose a cookie
• packet sniffing to steal a cookie
• XSS to steal a cookie
• CSRF to use a cookie

Resources

The hosted application for JWT security is available at demo.yonlabs.com, thanks to Oracle Cloud.
The code repositories are available at GitHub:

• the main GitHub repo: y-sec (still in development!)
• the old GitHub repo for XSS and NoSQL injection: hacker-guide-nosql-xss

The slides and videos from the actual demos and live hacking at conferences are available at Talks.