Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Format of JWT:
  • Header
  • Payload
  • Signature
  • Usage
  • Single Sign On is a feature that widely uses JWT
  • Why should we use JWT?
  • Problems?
  • Mitigations
  • Best Practices:
  • Tool to Play around with JWT
  1. Web

JWT

What are JSON Web Tokens (JWT)? How they are used in web applications for authentication and authorization? Discuss some advantages and potential security concerns associated with JWT? Mitigations?

PreviousCode ReviewNextJWT vs Session Based Authentication

Last updated 1 year ago

Source:

Format of JWT:

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

{ "alg": "HS256", "typ": "JWT" }

After which, it is Base64Url encoded to form the first of the 3 parts

Payload

  • Claims are the second part of the token

  • They are statements of the entity(Typically user) + additional data

  • There are 3 types of claims: registered, public, and private claims.

Registered claims:

  • These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims.

Public claims:

  • These can be defined at will by those using JWTs.

Private claims:

  • These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

Format:

{ "sub": "1234567890", "name": "John Doe", "admin": true }

After which, it is Base64Url encoded to form the second of the 3 parts

Signature

To create the signature, the following are used to create a signature

  • encoded header,

  • encoded payload,

  • a secret

  • algorithm specified in the header

Example signing:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Usage

Single Sign On is a feature that widely uses JWT

Authentication

When the user successfully logs in using their credentials, JSON Web Token will be returned.

Why should we use JWT?

  • JWT is smaller when compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML).

  • Signing process for JWT is more secured than signing XML format

  • Easier mapping

    • XML doesn't have a natural document-to-object mapping

    • JSON has :)

Problems?

  • Man-In-The-Middle attacks

  • JWT header parameter injections

  • Brute-forcing secret keys

  • JWT algorithm confusion

Mitigations

  • Use an up-to-date library for handling JWTs and make sure your developers fully understand how it works, along with any security implications. Modern libraries make it more difficult for you to inadvertently implement them insecurely, but this isn't foolproof due to the inherent flexibility of the related specifications.

  • Make sure that you perform robust signature verification on any JWTs that you receive, and account for edge-cases such as JWTs signed using unexpected algorithms.

  • Enforce a strict whitelist of permitted hosts for the jku header.

  • Make sure that you're not vulnerable to path traversal or SQL injection via the kid header parameter.

Best Practices:

  • Always set an expiration date for any tokens that you issue.

  • Avoid sending tokens in URL parameters where possible.

  • Include the aud (audience) claim (or similar) to specify the intended recipient of the token. This prevents it from being used on different websites.

  • Enable the issuing server to revoke tokens (on logout, for example).

Tool to Play around with JWT

Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and .

To avoid collisions they should be defined in the or be defined as a URI that contains a collision resistant namespace.

Source:

Author: 🐱‍👤

others
IANA JSON Web Token Registry
https://portswigger.net/web-security/jwt
Beckham
https://jwt.io/introduction
LogoJWT.IO - JSON Web Tokens Introduction
LogoJWT attacks | Web Security AcademyWebSecAcademy
JWT example format
LogoJWT.IO