All about JWT’s

HELLO! I’m Stephanie Chamblee Software Engineer stephaniechamblee.com stephaniejoychamblee@gmail.com

JSON Web Tokens *JWT is sometimes pronounced “jot”

Primary Sources RFC-7519 OWASP 100% Stateless with JWT’s Hubert Sablonnière JSON Web Tokens Suck - Randall Degges Security@ 2017 Keynote: Samy Kamkar

OVERVIEW Context Compare Session ID & JWT Parts of a JWT Security Considerations

Context of JWT

Cookies Used to store small pieces of stateful data

JWT RFC-7519

International Engineering Task Force

RFC-7519 Request for Comments Standard Track Source: http://www.rfc-editor.org/info/rfc7519

Context Summary

What kind of token should be used?

Cookie vs JWT

Cookie vs JWT

Session ID Cookie vs JWT

Referencial vs Self-Contained

Session ID Referencial

Token by Reference (Session ID)

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Using Session ID to verify identity

Complexities of using Session ID for verifying identity •Server-side state management when load balancing • Challenging to use with Microservices

JWT Self-contained

JWT Self-contained Stateless

Token by Reference (Session ID)

Token by Value (JWT) - Self-contained

Token by Value (JWT) - Self-contained

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity Allow/restrict access for a specified period of time

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity

Using JWT to verify identity

JWT vs. Session ID Summary

Parts of a JWT

3 parts of JWT Header Payload Signature hhhhhhhhhhh .ppppppppppppp . sssssssssssssssss

3 parts of JWT hhhhhhhhhhh .ppppppppppppp . sssssssssssssssss Header Payload Signature

HEADER

PAYLOAD

SIGNATURE

Demo https://jwt.io/ https://www.base64encode.org/

Parts of a JWT Summary Header - alg (algorithm) & type (JWT) Payload - claims (data about the user) Signature - uses payload, header and secret and specified algorithm in the header to verify authentic token

JWT Security Considerations

Using JWT to verify identity

Why use cookies and not local storage?

Local Storage HTML5 API which allows the storage of of data right in the browser with no expiration date.

For JavaScript’s eyes only…

Local Storage Benefits

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed.

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie)

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie) • Since it is kept in the browser, there’s no need to make a request through a server (better performance)

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie) • Since it is kept in the browser, there’s no need to make a request through a server (better performance) • Safe against CSRF attacks (more about that later)

Local Storage Easy to use

CSRF (C-SURF) OWASP “Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.” Source: www.owasp.org Stack Overflow Answer: stackoverflow.com/questions/35291573/csrf-protection-with-json-web-tokens

Disadvantage of Local Storage Vulnerable against cross-site scripting (XSS) attacks

XSS Prevalence Source: WEB APPLICATION ATTACK STATISTICS 2017 IN REVIEW ptsecurity.com

XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Source: www.owasp.org

XSS example The Samy Worm

XSS example The Samy Worm Source: Security@ 2017 Keynote https://www.youtube.com/watch?v=zWsSu5NjZL4

XSS source: cloudflare.com

OWASP recommendation for Local Storage •…any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage. •Do not store session identifiers in local storage as the data is always accessible by JavaScript. https://www.owasp.org/

Prevent CSRF and XSS with JWT 1. Use Cookies with “secure” and “HttpOnly” flags to prevent XSS Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] Client-side JavaScript HttpOnly Safe

Prevent CSRF and XSS with JWT 2. Use include a CSRF token in your JWT and use local storage to store a CSRF id. Payload of JWT: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022, “CSRFID”: “k908f-1209-k3809” } When a JWT is sent in a cookie: localStorage.setItem(“CSRFID”, “k908f-1209-k3809”) When evaluating a request: localStorage.getItem(“CSRFID”) === JWT.CSRF

Token Revocation

Summary Context Compare Session ID & JWT Parts of a JWT Security Considerations

Slides: https://bit.ly/2NtUORI THANK YOU! ANY QUESTIONS? stephaniechamblee.com stephaniejoychamblee@gmail.com @stephchamblee