PodParley PodParley
PodParley
Course 2 - API Security Offence and Defense | Episode 2: Authentication Methods and Security: Basic, Digest, and JSON Web Tokens (JWT)

EPISODE · Nov 12, 2025 · 12 MIN

Course 2 - API Security Offence and Defense | Episode 2: Authentication Methods and Security: Basic, Digest, and JSON Web Tokens (JWT)

from CyberCode Academy · host CyberCode Academy

In this lesson, you’ll learn about:Authentication & Authorization Fundamentals:Authentication: Identifying the user.Authorization: Defining what actions an authenticated user can perform.Stateful vs. Stateless:Stateful: Session cookies store session data on the server.Stateless: Tokens are validated without server-side session storage.Basic and Digest Authentication:Basic Auth: HTTP-based, sends Base64-encoded credentials; vulnerable because Base64 is easily decoded.Digest Auth: Adds MD5 hashing with a nonce to protect credentials; less common.Attacks on Traditional Methods:MITM Attacks: Stealing credentials if HTTPS is not used.Brute Force: No retry limits enable guessing credentials.Logic Attacks (Wrong HTTP Methods): Unprotected HTTP methods allow bypassing auth.Configuration File Exploitation: Accessing .htpasswd or .htdigest and cracking hashes.Mitigation: Use HTTPS, enforce strong passwords, limit login retries, and protect all HTTP methods.Tokens, Cookies, and JWT:Cookies: Stateful; risks include XSS (if not HTTP Only), CSRF, and scalability issues.Tokens: Stateless; risks include XSS (if in local storage), CSRF (if in cookies), and non-revocable compromised tokens.JWT (JSON Web Token):Structure: Header (algorithm), Payload/Claim (user data, exp, issuer), Signature (verification).Generation: Signed using a secret key and chosen algorithm.Usage: Stateless API authentication, self-contained.JWT Attacks & Mitigation:Algorithm Bypass (None Attack): Modifying header to none can bypass verification.Algorithm Confusion (RS256 → HS256): Signing with public key due to server misconfiguration.Cracking Weak Secrets: Brute force or dictionary attacks on weak signing keys.Mitigation for JWT: Enforce strong random keys, backend-enforced algorithm validation, short token expiration, and HTTPS.Core takeaway: Modern web authentication requires careful design of state handling (cookies vs tokens), secure credentials, and robust JWT management to prevent bypasses, tampering, and data leaks.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy

NOW PLAYING

Course 2 - API Security Offence and Defense | Episode 2: Authentication Methods and Security: Basic, Digest, and JSON Web Tokens (JWT)

0:00 12:15

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Share this episode

Similar Episodes

Episode 126: Stop Chasing Followers — Do This Instead

Apr 28, 2026 ·22m

Luke 13

Apr 19, 2026 ·43m

Luke 12

Apr 12, 2026 ·31m

Luke 22

Mar 22, 2026 ·33m

Luke 11

Mar 15, 2026 ·31m

Episode 125: What You Need To Do First Before Marketing Your New Business!

Mar 11, 2026 ·23m

Similar Podcasts

Simple Marketing Academy - by Fox Social Media Jill W. Fox & Tanner J. Fox Welcome to Simple Marketing Academy, where entrepreneurs & small business owners learn how to successfully market their businesses in a simple and inexpensive way, in order to reach more of their ideal customers & increase their sales! South West London Vineyard Church South West London Vineyard South West London Vineyard is a Christian church that meets in Putney. The church started with a small group of people in 1987 who wanted to see how following Jesus could make a difference, not only to their lives, but also to the lives of the people in the city around them.Sundays from 10:30-12pm at Ark, Putney, Academy, Pullman Gardens, London, SW15 3DG. You'd be really welcome. Leading With Purpose Nathan R Mitchell: Increase your self-awareness, lead to your full potential, & achieve more in less time with the Leading with Purpose - Empowering Talk Radio Podcast | Inspired by Tony Robbins, Simon Sinek, Daniel Pink, Seth Godin, Brendon Burchard, Bob INCREASE YOUR SELF-AWARENESS | LEAD TO YOUR POTENTIAL | ACHIEVE MORE IN LESS TIME: Let America's Leading Empowerment Coach, Founder of Clutch Consulting, LPX Academy, and Certified Member of The John Maxwell Team, Nathan R Mitchell, empower you to increase your self-awareness, lead to your full potential, and achieve more in less time. Drawing upon inspiration from Tony Robbins, Simon Sinek, Daniel Pink, Seth Godin, Bob Burg, John Maxwell, Brendon Burchard and others, on each episode of Leading With Purpose – Empowering Talk Radio, Nathan interviews top coaches, speakers, business owners, authors, and other experts to provide leaders and achievers with the information they need to get from where they are now to where they desire to be. Past guests have included Brian Smith - Founder of UGG Shoes, Lisa Nichols of Motivating the Masses, Lee Milteer, Dr. Josh Davis, Ben Gay III, Eric Lofholm, and many others. Beyond The Basics Health Academy Podcast Dr. Meaghan Kirschling Are you looking for practical, holistic, real-life solutions for healthier living? Join Dr. Meaghan Kirschling for real life education as she discusses and explores topics that affect everyday living. Dr. Meaghan brings in expert guests for a lively discussion about nutrition, supplements, holistic health, integrative medicine, and the latest research on a variety of topics. Join the Academy for the University of You!
URL copied to clipboard!