Yon Labs Security Project


Yon Labs Security Project Y-SEC aims at increasing awareness about web application security among developers, especially Java developers.

One learns from books and example only that certain things can be done. Actual learning requires that you do those things.

Frank Herbert

As actual learning requires doing, our goal is to provide a set of working demos on security vulnerabilities, available as open-source code for self-hosting and education as well as hosted applications for actual testing and hacking.

Security Topics

At the moment, we have the following topics covered:

JWT Security
  • none algorithm in a token
  • brute-force token cracking
  • packet sniffing to steal a token
  • XSS to steal a token
Cross-Site Scripting (XSS)

NoSQL Injection
Authentication and Session Management
  • URL-rewriting to expose a cookie
  • packet sniffing to steal a cookie
  • XSS to steal a cookie
  • CSRF to use a cookie


The hosted application for JWT security is available at demo.yonlabs.com, thanks to Oracle Cloud.
The code repositories are available at GitHub:

The slides and videos from the actual demos and live hacking at conferences are available at Talks.