All about JWT’s
A presentation at Connect.Tech 2018 in October 2018 in Atlanta, GA, USA by Stephanie Chamblee
All about JWT’s
HELLO! I’m Stephanie Chamblee Software Engineer stephaniechamblee.com stephaniejoychamblee@gmail.com
JSON Web Tokens *JWT is sometimes pronounced “jot”
Primary Sources RFC-7519 OWASP 100% Stateless with JWT’s Hubert Sablonnière JSON Web Tokens Suck - Randall Degges Security@ 2017 Keynote: Samy Kamkar
OVERVIEW Context Compare Session ID & JWT Parts of a JWT Security Considerations
Context of JWT
Cookies Used to store small pieces of stateful data
JWT RFC-7519
International Engineering Task Force
RFC-7519 Request for Comments Standard Track Source: http://www.rfc-editor.org/info/rfc7519
Context Summary
What kind of token should be used?
Cookie vs JWT
Cookie vs JWT
Session ID Cookie vs JWT
Referencial vs Self-Contained
Session ID Referencial
Token by Reference (Session ID)
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Using Session ID to verify identity
Complexities of using Session ID for verifying identity •Server-side state management when load balancing • Challenging to use with Microservices
JWT Self-contained
JWT Self-contained Stateless
Token by Reference (Session ID)
Token by Value (JWT) - Self-contained
Token by Value (JWT) - Self-contained
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity Allow/restrict access for a specified period of time
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity
Using JWT to verify identity
JWT vs. Session ID Summary
Parts of a JWT
3 parts of JWT Header Payload Signature hhhhhhhhhhh .ppppppppppppp . sssssssssssssssss
3 parts of JWT hhhhhhhhhhh .ppppppppppppp . sssssssssssssssss Header Payload Signature
HEADER
PAYLOAD
SIGNATURE
Demo https://jwt.io/ https://www.base64encode.org/
Parts of a JWT Summary Header - alg (algorithm) & type (JWT) Payload - claims (data about the user) Signature - uses payload, header and secret and specified algorithm in the header to verify authentic token
JWT Security Considerations
Using JWT to verify identity
Why use cookies and not local storage?
Local Storage HTML5 API which allows the storage of of data right in the browser with no expiration date.
For JavaScript’s eyes only…
Local Storage Benefits
Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed.
Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie)
Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie) • Since it is kept in the browser, there’s no need to make a request through a server (better performance)
Local Storage Benefits • Data stored in the browser will persist even after the browser window has been closed. • Can hold 5mb (compared to 4k in a cookie) • Since it is kept in the browser, there’s no need to make a request through a server (better performance) • Safe against CSRF attacks (more about that later)
Local Storage Easy to use
CSRF (C-SURF) OWASP “Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.” Source: www.owasp.org Stack Overflow Answer: stackoverflow.com/questions/35291573/csrf-protection-with-json-web-tokens
Disadvantage of Local Storage Vulnerable against cross-site scripting (XSS) attacks
XSS Prevalence Source: WEB APPLICATION ATTACK STATISTICS 2017 IN REVIEW ptsecurity.com
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Source: www.owasp.org
XSS example The Samy Worm
XSS example The Samy Worm Source: Security@ 2017 Keynote https://www.youtube.com/watch?v=zWsSu5NjZL4
XSS source: cloudflare.com
OWASP recommendation for Local Storage •…any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage. •Do not store session identifiers in local storage as the data is always accessible by JavaScript. https://www.owasp.org/
Prevent CSRF and XSS with JWT 1. Use Cookies with “secure” and “HttpOnly” flags to prevent XSS Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] Client-side JavaScript HttpOnly Safe
Prevent CSRF and XSS with JWT 2. Use include a CSRF token in your JWT and use local storage to store a CSRF id. Payload of JWT: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022, “CSRFID”: “k908f-1209-k3809” } When a JWT is sent in a cookie: localStorage.setItem(“CSRFID”, “k908f-1209-k3809”) When evaluating a request: localStorage.getItem(“CSRFID”) === JWT.CSRF
Token Revocation
Summary Context Compare Session ID & JWT Parts of a JWT Security Considerations
Slides: https://bit.ly/2NtUORI THANK YOU! ANY QUESTIONS? stephaniechamblee.com stephaniejoychamblee@gmail.com @stephchamblee
