All About JWT's

A presentation at Connect.Tech 2018 in October 2018 in Atlanta, GA, USA by Stephanie Chamblee

Slide 1

Slide 1

All about JWT’s

Slide 2

Slide 2

HELLO! I’m Stephanie Chamblee Software Engineer stephaniechamblee.com stephaniejoychamblee@gmail.com

Slide 3

Slide 3

Slide 4

Slide 4

JSON Web Tokens *JWT is sometimes pronounced “jot”

Slide 5

Slide 5

Primary Sources RFC-7519 OWASP 100% Stateless with JWT’s Hubert Sablonnière JSON Web Tokens Suck - Randall Degges Security@ 2017 Keynote: Samy Kamkar

Slide 6

Slide 6

OVERVIEW Context Compare Session ID & JWT Parts of a JWT Security Considerations

Slide 7

Slide 7

Context of JWT

Slide 8

Slide 8

Slide 9

Slide 9

Slide 10

Slide 10

Slide 11

Slide 11

Cookies Used to store small pieces of stateful data

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

Slide 15

Slide 15

Slide 16

Slide 16

Slide 17

Slide 17

Slide 18

Slide 18

Slide 19

Slide 19

JWT RFC-7519

Slide 20

Slide 20

International Engineering Task Force

Slide 21

Slide 21

RFC-7519 Request for Comments Standard Track Source: http://www.rfc-editor.org/info/rfc7519

Slide 22

Slide 22

Context Summary

Slide 23

Slide 23

Slide 24

Slide 24

Slide 25

Slide 25

Slide 26

Slide 26

Slide 27

Slide 27

What kind of token should be used?

Slide 28

Slide 28

Cookie vs JWT

Slide 29

Slide 29

Cookie vs JWT

Slide 30

Slide 30

Session ID Cookie vs JWT

Slide 31

Slide 31

Referencial vs Self-Contained

Slide 32

Slide 32

Session ID Referencial

Slide 33

Slide 33

Token by Reference (Session ID)

Slide 34

Slide 34

Using Session ID to verify identity

Slide 35

Slide 35

Using Session ID to verify identity

Slide 36

Slide 36

Using Session ID to verify identity

Slide 37

Slide 37

Using Session ID to verify identity

Slide 38

Slide 38

Using Session ID to verify identity

Slide 39

Slide 39

Using Session ID to verify identity

Slide 40

Slide 40

Using Session ID to verify identity

Slide 41

Slide 41

Using Session ID to verify identity

Slide 42

Slide 42

Using Session ID to verify identity

Slide 43

Slide 43

Complexities of using Session ID for verifying identity •Server-side state management when load balancing • Challenging to use with Microservices

Slide 44

Slide 44

JWT Self-contained

Slide 45

Slide 45

JWT Self-contained Stateless

Slide 46

Slide 46

Token by Reference (Session ID)

Slide 47

Slide 47

Token by Value (JWT) - Self-contained

Slide 48

Slide 48

Token by Value (JWT) - Self-contained

Slide 49

Slide 49

Using JWT to verify identity

Slide 50

Slide 50

Using JWT to verify identity

Slide 51

Slide 51

Using JWT to verify identity

Slide 52

Slide 52

Using JWT to verify identity

Slide 53

Slide 53

Using JWT to verify identity

Slide 54

Slide 54

Using JWT to verify identity

Slide 55

Slide 55

Using JWT to verify identity Allow/restrict access for a specified period of time

Slide 56

Slide 56

Using JWT to verify identity

Slide 57

Slide 57

Using JWT to verify identity

Slide 58

Slide 58

Using JWT to verify identity

Slide 59

Slide 59

Using JWT to verify identity

Slide 60

Slide 60

JWT vs. Session ID Summary

Slide 61

Slide 61

Parts of a JWT

Slide 62

Slide 62

Slide 63

Slide 63

3 parts of JWT Header Payload Signature hhhhhhhhhhh .ppppppppppppp . sssssssssssssssss

Slide 64

Slide 64

3 parts of JWT hhhhhhhhhhh .ppppppppppppp . sssssssssssssssss Header Payload Signature

Slide 65

Slide 65

HEADER

Slide 66

Slide 66

PAYLOAD

Slide 67

Slide 67

SIGNATURE

Slide 68

Slide 68

Demo https://jwt.io/ https://www.base64encode.org/

Slide 69

Slide 69

Parts of a JWT Summary Header - alg (algorithm) & type (JWT) Payload - claims (data about the user) Signature - uses payload, header and secret and specified algorithm in the header to verify authentic token

Slide 70

Slide 70

JWT Security Considerations

Slide 71

Slide 71

Using JWT to verify identity

Slide 72

Slide 72

Why use cookies and not local storage?

Slide 73

Slide 73

Local Storage HTML5 API which allows the storage of of data right in the browser with no expiration date.

Slide 74

Slide 74

For JavaScript’s eyes only…

Slide 75

Slide 75

Slide 76

Slide 76

Slide 77

Slide 77

Local Storage Benefits

Slide 78

Slide 78

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed.

Slide 79

Slide 79

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie)

Slide 80

Slide 80

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie) • Since it is kept in the browser, there’s no need to make a request through a server (better performance)

Slide 81

Slide 81

Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie) • Since it is kept in the browser, there’s no need to make a request through a server (better performance) • Safe against CSRF attacks (more about that later)

Slide 82

Slide 82

Local Storage Easy to use

Slide 83

Slide 83

CSRF (C-SURF) OWASP “Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.” Source: www.owasp.org Stack Overflow Answer: stackoverflow.com/questions/35291573/csrf-protection-with-json-web-tokens

Slide 84

Slide 84

Disadvantage of Local Storage Vulnerable against cross-site scripting (XSS) attacks

Slide 85

Slide 85

XSS Prevalence Source: WEB APPLICATION ATTACK STATISTICS 2017 IN REVIEW ptsecurity.com

Slide 86

Slide 86

XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Source: www.owasp.org

Slide 87

Slide 87

XSS example The Samy Worm

Slide 88

Slide 88

Slide 89

Slide 89

XSS example The Samy Worm Source: Security@ 2017 Keynote https://www.youtube.com/watch?v=zWsSu5NjZL4

Slide 90

Slide 90

XSS source: cloudflare.com

Slide 91

Slide 91

OWASP recommendation for Local Storage •…any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage. •Do not store session identifiers in local storage as the data is always accessible by JavaScript. https://www.owasp.org/

Slide 92

Slide 92

Prevent CSRF and XSS with JWT 1. Use Cookies with “secure” and “HttpOnly” flags to prevent XSS Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] Client-side JavaScript HttpOnly Safe

Slide 93

Slide 93

Prevent CSRF and XSS with JWT 2. Use include a CSRF token in your JWT and use local storage to store a CSRF id. Payload of JWT: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022, “CSRFID”: “k908f-1209-k3809” } When a JWT is sent in a cookie: localStorage.setItem(“CSRFID”, “k908f-1209-k3809”) When evaluating a request: localStorage.getItem(“CSRFID”) === JWT.CSRF

Slide 94

Slide 94

Token Revocation

Slide 95

Slide 95

Summary Context Compare Session ID & JWT Parts of a JWT Security Considerations

Slide 96

Slide 96

Slides: https://bit.ly/2NtUORI THANK YOU! ANY QUESTIONS? stephaniechamblee.com stephaniejoychamblee@gmail.com @stephchamblee