Web Security Workbook

# JSON Web Token (JWT)

A07:2021

# Background

# Context

JTWs are a standard that is defined in RFC 7519 (opens new window). The token consists of a header, a payload and a signature. Within its header, metainformation about the token, such as the used hashing algorithm or the type of the JWT. Its payload carries data that is required by the application. Both of these components are Base64 encoded and concatenated with a dot. This string is not only used to start the JWT but also used in the signature in which a HMAC function is used to create a hash of it. The resulting hash is concatenated to the above mentioned string.

# Problems

  1. In case the validation is influenced by the alg attribute, an attacker can dodge the validation or manipulate it.
    • Insecure libraries except none as algorithm, causing the JWT to always be valid.
    • Also allows the forging of new JWTs if for example RSA was used for encryption.
      • Attackers switch from RSA to HMAC and encrypt a new token with the public key used in RSA
      • The library now switches from RSA to HMAC because of the changed header and uses the public key as secret
      • The token is valid because the attacker used the public key to encrypt the token
  2. Storing of JWTs is not included in the standard
  3. Tokens cannot be revoked
    • Implementation of token blacklist is possible but then session cookies can be used instead
  4. Stolen JWTs (trough for example XSS) can therefore be used to authenticate requests

# Solution

  • Usage of secure libraries that only allow certain alg values
  • Usage of other authentication methods

# Technology

DANGER

All problems except the first two are native to JWTs and not solvable

# Node.js Libraries

The first of the above described problems is solved through the jsonwebtoken (opens new window) library. The parameter that is passed to the verify method is evaluated whether its content is a public key or not. If it is a public key, the RSA encryption is used and if not, the string is used as secret and only HMAC based encryption is used.

# Java

The libraries available in Java io.jsonwebtoken (opens new window) or java-jwt (opens new window) work similar.

Last Updated: 7/3/2022, 3:51:46 PM

Passwort Hashing