JSON Web Tokens (JWTs) are widely used in web session management, API authorization, and other security-sensitive exchanges, especially in applications built around OAuth 2.0, OpenID Connect, or custom token-based architectures. Despite this widespread adoption, vulnerabilities in JWT verification have been documented continuously since 2015, and new weaknesses still appear in modern libraries and deployments. However, there is still no large-scale black-box study of how often these problems remain exploitable in production web applications. In this thesis, we present an automated Playwright-based framework that discovers JWTs in web applications through priority-guided crawling, intercepts them from HTTP traffic in real time, and tests known attack modes by combining jwt tool-based token mutation with replay of the original request context. We also define an experimental protocol with two campaigns: an authenticated scan via the SSO-Monitor platform and an unauthenticated scan based on the Tranco top-sites list.
JSON Web Tokens (JWTs) are widely used in web session management, API authorization, and other security-sensitive exchanges, especially in applications built around OAuth 2.0, OpenID Connect, or custom token-based architectures. Despite this widespread adoption, vulnerabilities in JWT verification have been documented continuously since 2015, and new weaknesses still appear in modern libraries and deployments. However, there is still no large-scale black-box study of how often these problems remain exploitable in production web applications. In this thesis, we present an automated Playwright-based framework that discovers JWTs in web applications through priority-guided crawling, intercepts them from HTTP traffic in real time, and tests known attack modes by combining jwt tool-based token mutation with replay of the original request context. We also define an experimental protocol with two campaigns: an authenticated scan via the SSO-Monitor platform and an unauthenticated scan based on the Tranco top-sites list.
Automated Security Testing of JWT-Based Web Sessions
COSTA, LEONARDO
2025/2026
Abstract
JSON Web Tokens (JWTs) are widely used in web session management, API authorization, and other security-sensitive exchanges, especially in applications built around OAuth 2.0, OpenID Connect, or custom token-based architectures. Despite this widespread adoption, vulnerabilities in JWT verification have been documented continuously since 2015, and new weaknesses still appear in modern libraries and deployments. However, there is still no large-scale black-box study of how often these problems remain exploitable in production web applications. In this thesis, we present an automated Playwright-based framework that discovers JWTs in web applications through priority-guided crawling, intercepts them from HTTP traffic in real time, and tests known attack modes by combining jwt tool-based token mutation with replay of the original request context. We also define an experimental protocol with two campaigns: an authenticated scan via the SSO-Monitor platform and an unauthenticated scan based on the Tranco top-sites list.| File | Dimensione | Formato | |
|---|---|---|---|
|
Costa_Leonardo.pdf
accesso aperto
Dimensione
3.27 MB
Formato
Adobe PDF
|
3.27 MB | Adobe PDF | Visualizza/Apri |
The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License
https://hdl.handle.net/20.500.12608/108080