JWT

What are JSON Web Tokens (JWT)? How they are used in web applications for authentication and authorization? Discuss some advantages and potential security concerns associated with JWT? Mitigations?

Source: https://jwt.io/introduction

JWT.IO - JSON Web Tokens IntroductionJSON Web Tokens - jwt.io

Format of JWT:

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

{ "alg": "HS256", "typ": "JWT" }

After which, it is Base64Url encoded to form the first of the 3 parts

Payload

Claims are the second part of the token
They are statements of the entity(Typically user) + additional data
There are 3 types of claims: registered, public, and private claims.

Registered claims:

These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims.
Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.

Public claims:

These can be defined at will by those using JWTs.
To avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

Private claims:

These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

Format:

{ "sub": "1234567890", "name": "John Doe", "admin": true }

After which, it is Base64Url encoded to form the second of the 3 parts

Signature

To create the signature, the following are used to create a signature

encoded header,
encoded payload,
a secret
algorithm specified in the header

Example signing:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Usage

Single Sign On is a feature that widely uses JWT

Authentication

When the user successfully logs in using their credentials, JSON Web Token will be returned.

Why should we use JWT?

JWT is smaller when compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML).
Signing process for JWT is more secured than signing XML format
Easier mapping
- XML doesn't have a natural document-to-object mapping
- JSON has :)

Problems?

Source: https://portswigger.net/web-security/jwt

JWT attacks | Web Security AcademyWebSecAcademy

Man-In-The-Middle attacks
JWT header parameter injections
Brute-forcing secret keys
JWT algorithm confusion

Mitigations

Use an up-to-date library for handling JWTs and make sure your developers fully understand how it works, along with any security implications. Modern libraries make it more difficult for you to inadvertently implement them insecurely, but this isn't foolproof due to the inherent flexibility of the related specifications.
Make sure that you perform robust signature verification on any JWTs that you receive, and account for edge-cases such as JWTs signed using unexpected algorithms.
Enforce a strict whitelist of permitted hosts for the jku header.
Make sure that you're not vulnerable to path traversal or SQL injection via the kid header parameter.

Best Practices:

Always set an expiration date for any tokens that you issue.
Avoid sending tokens in URL parameters where possible.
Include the aud (audience) claim (or similar) to specify the intended recipient of the token. This prevents it from being used on different websites.
Enable the issuing server to revoke tokens (on logout, for example).

Author: `Beckham`🐱‍👤

Tool to Play around with JWT

JWT.IOJSON Web Tokens - jwt.io

PreviousCode Review NextJWT vs Session Based Authentication

Last updated 1 year ago

hashtagFormat of JWT:

hashtagHeader

hashtagPayload

hashtagRegistered claims:

hashtagPublic claims:

hashtagFormat:

hashtagSignature

hashtagExample signing:

hashtagUsage

hashtagSingle Sign On is a feature that widely uses JWT

hashtagWhy should we use JWT?

hashtagProblems?

hashtagMitigations

hashtagBest Practices:

hashtagAuthor: Beckhamarrow-up-right🐱‍👤

hashtagTool to Play around with JWT