Goal
Yon Labs Security Project Y-SEC aims at increasing awareness about web application security among developers, especially Java developers.
One learns from books and example only that certain things can be done. Actual learning requires that you do those things.
Frank Herbert
As actual learning requires doing, our goal is to provide a set of working demos on security vulnerabilities, available as open-source code for self-hosting and education as well as hosted applications for actual testing and hacking.
Security Topics
At the moment, we have the following topics covered:
JWT Security
- none algorithm in a token
- brute-force token cracking
- packet sniffing to steal a token
- XSS to steal a token
Cross-Site Scripting (XSS)
NoSQL Injection
Authentication and Session Management
- URL-rewriting to expose a cookie
- packet sniffing to steal a cookie
- XSS to steal a cookie
- CSRF to use a cookie
Resources
The hosted application for JWT security is available at demo.yonlabs.com, thanks to Oracle Cloud.
The code repositories are available at GitHub:
- the main GitHub repo: y-sec (still in development!)
- the old GitHub repo for XSS and NoSQL injection: hacker-guide-nosql-xss
The slides and videos from the actual demos and live hacking at conferences are available at Talks.