JSON Web Tokens (JWT) Security
JWTs (JSON Web Token, pronounced ‘jot’) are becoming a popular way of handling auth. In his presentation, Seid discussed what is a JWT, what are its pros/cons and the best practices in implementing JWT on the client-side, keeping security in mind.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
JWTs can be broken down into three parts: header, payload, and signature.
Each part is separated from the other by dot (.), and will follow the below structure:
Header.Payload.Signature
Each part is separated from the other by dot (.), and will follow the below structure:
Header.Payload.Signature
HEADER
The information contained in the header describes the algorithm used to generate the signature. The decoded version of the header from the above example looks like:
{
“alg”: “HS256”,
“typ”: “JWT”
}
PAYLOAD
All the claims within JWT authentication are stored in this part
{
“sub”: “1234567890”,
“name”: “John Doe”,
“iat”: 1516239022
}
SIGNATURE
The signature part of a JWT is derived from the header and payload fields. The steps involved in creating this signature are described below:
1. Combine the base64url encoded representations of header and payload with a dot (.)
base64UrlEncode(header) + “.” + base64UrlEncode(payload)
2. Hash the above data with a secret-key only known to the server issuing the token. The hashing algorithm is the one described inside the header.
hash_value = hash([base64UrlEncode(header) + “.” + base64UrlEncode(payload)], secret-key)
hash_value = hash([base64UrlEncode(header) + “.” + base64UrlEncode(payload)], secret-key)
JWT typically passed in the Authorization header when a user submits a request to the client.
Security Issues
Information disclosure
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
It is important not to leak sensitive information such as internal IP addresses through the tokens inside the payload
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
It is important not to leak sensitive information such as internal IP addresses through the tokens inside the payload
NONE hashing algorithm
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
Use a JWT library that is not exposed to this vulnerability and implementat an added security check that rejects tokens set with ‘none’ algorithm when a secret-key was used to issue them.
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
Use a JWT library that is not exposed to this vulnerability and implementat an added security check that rejects tokens set with ‘none’ algorithm when a secret-key was used to issue them.
Token revocation
JWT become only invalid when it expires. The user has no built-in feature to explicitly revoke the validity of an token.if it is stolen, a user cannot revoke the token itself and then block the attacker. br> How to prevent
implement a token blacklist that will be used to mimic the “logout” feature that exists with traditional session system.
JWT become only invalid when it expires. The user has no built-in feature to explicitly revoke the validity of an token.if it is stolen, a user cannot revoke the token itself and then block the attacker. br> How to prevent
implement a token blacklist that will be used to mimic the “logout” feature that exists with traditional session system.
JSON Web Tokens (JWT) Security
JWTs (JSON Web Token, pronounced ‘jot’) are becoming a popular way of handling auth. In his presentation, Seid discussed what is a JWT, what are its pros/cons and the best practices in implementing JWT on the client-side, keeping security in mind.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
JWTs can be broken down into three parts: header, payload, and signature.
Each part is separated from the other by dot (.), and will follow the below structure:
Header.Payload.Signature
HEADER
The information contained in the header describes the algorithm used to generate the signature. The decoded version of the header from the above example looks like:
{
“alg”: “HS256”,
“typ”: “JWT”
}
PAYLOAD
All the claims within JWT authentication are stored in this part
{
“sub”: “1234567890”,
“name”: “John Doe”,
“iat”: 1516239022
}
SIGNATURE
The signature part of a JWT is derived from the header and payload fields. The steps involved in creating this signature are described below:
1. Combine the base64url encoded representations of header and payload with a dot (.)
base64UrlEncode(header) + “.” + base64UrlEncode(payload)
2. Hash the above data with a secret-key only known to the server issuing the token. The hashing algorithm is the one described inside the header.
hash_value = hash([base64UrlEncode(header) + “.” + base64UrlEncode(payload)], secret-key)
hash_value = hash([base64UrlEncode(header) + “.” + base64UrlEncode(payload)], secret-key)
JWT typically passed in the Authorization header when a user submits a request to the client.
Security Issues
Information disclosure
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
It is important not to leak sensitive information such as internal IP addresses through the tokens inside the payload
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
It is important not to leak sensitive information such as internal IP addresses through the tokens inside the payload
NONE hashing algorithm
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
Use a JWT library that is not exposed to this vulnerability and implementat an added security check that rejects tokens set with ‘none’ algorithm when a secret-key was used to issue them.
Attacker access to a token and extract information stored into it (JWT token information are base64 encoded at the basis) inside the payload in order to obtains information about the system.
How to prevent
Use a JWT library that is not exposed to this vulnerability and implementat an added security check that rejects tokens set with ‘none’ algorithm when a secret-key was used to issue them.
Token revocation
JWT become only invalid when it expires. The user has no built-in feature to explicitly revoke the validity of an token.if it is stolen, a user cannot revoke the token itself and then block the attacker.
How to prevent
implement a token blacklist that will be used to mimic the “logout” feature that exists with traditional session system.
JWT become only invalid when it expires. The user has no built-in feature to explicitly revoke the validity of an token.if it is stolen, a user cannot revoke the token itself and then block the attacker.
How to prevent
implement a token blacklist that will be used to mimic the “logout” feature that exists with traditional session system.
See also: