Passive Test / JWT Security

blst-security / cherrybomb

Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.

https://www.blstsecurity.com/cherrybomb

Apache License 2.0

1.08k stars 78 forks source link

Passive Test / JWT Security #70

Open DeliciousBounty opened 1 year ago

DeliciousBounty commented 1 year ago

We are looking for contributors!

JWT passive test will run several tests on the JWT Token in accordance with best practices. In other words, ensure that the token's structure is legitimate, valid encryption, etc. For more details please check OWASP: https://owasp.org/www-chapter-belgium/assets/2021/2021-02-18/JWT-Security.pdf https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

glokta1 commented 1 year ago

Hi, I'd like to work on this issue.

DeliciousBounty commented 1 year ago

Hi @glokta1 Thank for getting involved, Check the contribute.md . If you need help or do you have any questions feel free to ask :) This is my mail : nathan.s@blstsecurity.com

Hrushi20 commented 1 year ago

Is the aim of the issue to write JWT passive tests to validate token's structure, valid encryption etc? Also, is the bounty still applicable?

DeliciousBounty commented 1 year ago

@Hrushi20 Yes exactly your suggestions can be included in this passive check , but actually there is no bounty.