<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>All Posts - Camilo Verdugo</title><link>https://cavg.github.io/posts/</link><description>All Posts | Camilo Verdugo</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.</copyright><lastBuildDate>Mon, 06 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://cavg.github.io/posts/" rel="self" type="application/rss+xml"/><item><title>Exploiting JSON Web Key (JWK)</title><link>https://cavg.github.io/exploiting-jwk/</link><pubDate>Mon, 06 Jul 2026 00:00:00 +0000</pubDate><author>Camilo Verdugo</author><guid>https://cavg.github.io/exploiting-jwk/</guid><description><![CDATA[<p>JWTs are everywhere. They are the stateless session token of choice for modern web applications. But with great convenience comes a long tail of misconfigurations that turn a robust cryptographic standard into a wide-open door.</p>
<p>This post explores one of the more elegant attacks in the JWT ecosystem: <strong>JWK injection</strong>. By the end, you will understand how a misplaced trust in the <code>jwk</code> header parameter can let an attacker forge tokens at will, and — more importantly — how to shut it down.</p>]]></description></item></channel></rss>