Download as PDF, PPTX
![Security Concern
Changing the algorithm from RS256 to HS256
const decoded = jwt.verify(
token,
publickRSAKey,
{ algorithms: ['HS256' , 'RS256'] } //accepted both algorithms
)
//header
{
alg: 'RS256' => 'HS256'
}
//payload
{
sub: '123',
name: ‘ahmed ali’,
admin: 'false' => 'true'
}
modification that attacker can make:](https://image.slidesharecdn.com/jwt-security-191110090923/85/Jwt-Security-37-320.jpg)
Uploaded bySeid Yassin
Jwt Security
JSON Web Tokens (JWTs) are a compact way to securely transmit information between parties as a JSON object signed with a secret or public/private key pair. JWTs have three parts - a header specifying the signing algorithm, a payload containing claims, and a signature. The document discusses the structure and security concerns of JWTs such as information leakage, weak algorithms, and attacks that modify the algorithm or signature.
![[OPD 2019] Attacking JWT tokens](https://cdn.slidesharecdn.com/ss_thumbnails/attackingjwttokens-191021171156-thumbnail.jpg?width=640&height=640&fit=bounds)
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Jwt Security
- 1. JSON Web Tokens(JWT) Security SeidYassin.ApplicationSecurityConsultant.Dtssolution
- 2. • What isJSON Web Token? • Why we use JSON Web Tokens? • When should you use JSON Web Tokens? • What is the JSON Web Token structure? • How do JSON Web Tokens work? • Security Concerns / Attack Types / Agenda
- 3. What is JSONWeb Token? JSON Web Tokens are an open, compact and self-contained industry standard RFC 7519 method for representing claims securely between two parties.
- 4.
- 5.
- 6. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2 QT4fwpMeJf36POk6yJV_adQssw5c Compact: Because ofits smaller size, JWTs can be sent through an URL, POST parameter, or inside an HTTP header Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
- 7. JWT Security :The basics - Sessions Browser Server Database POST /login Username …. Password …. Select Username …. AND Password …. 200 ok Set-Cookie : SESSIONID = A42 Found {…….} Set-Cookie : SESSIONID = A42 Get /Homepage 200 ok Hello JOHN Set ID = A42 Get ID = A42 Found {…….} Memory
- 8. JWT Security :The basics Browser Server
- 9. JWT Security :The basics Browser Server Load Balancer Server
- 10. JWT Security :The basics Browser Load Balancer Server Server Server Server
- 11. JWT Security :The basics Browser Load Balancer Server Server Server Server ID=A41 ID=A41
- 12. JWT Security :The basics Browser Load Balancer Server Server Server Server ID=A41 ? ID=A41 ID=A41 ??
- 13. JWT Security :The basics Browser Load Balancer Server Server Server Server Shared Cache ID=A41 ID=A42 ID=B41 ID=C40 ID=A41 ? < Single Point Of Failure >
- 14. JWT Security :The basics Browser Load Balancer Server Server Server Server Distributed Cache
- 15. JWT Security :The basics Browser Load Balancer + Sticky Sessions Server Server Server Server Distributed Cache
- 16. How about … Manageand Maintain the state at client side
- 17. JWT Security :The basics - JWT Browser Server Database POST /login Username …. Password …. Select Username …. AND Password …. 200 ok Set-Cookie : JWT = H3.P4.S1 Found {…….} Cookie: JWT = H3.P4.S1 Get /Homepage 200 ok Hello JOHN Write + Sign Verify + read
- 18.
- 19.
- 20. Three parts separatedby dots (.), which are: • Header • Payload • Signature What is the JSON Web Token structure?
- 21. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2 QT4fwpMeJf36POk6yJV_adQssw5c • Header: Tokentype and hashing algorithm • Payload: User / verification content / Claims • Signature: Header, payload, and secret What a Signed Token will Look Like xxxxxxx.yyyyyyy.zzzzzzz JWT high-level representation Header.Payload.Signature
- 22. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2 QT4fwpMeJf36POk6yJV_adQssw5c JWT Structure :Header xxxxxxx.yyyyyyy.zzzzzzz Typically consists of two parts: • hashing algorithm being used, such as HMAC SHA256 or RSA. • type of the token, which is JWT, • This JSON is Base64Url encoded to form the first part of the JWT
- 23. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2 QT4fwpMeJf36POk6yJV_adQssw5c JWT Structure :Payload xxxxxxx.yyyyyyy.zzzzzzz Payload contains the claims - statements about an entity (typically, the user) and additional metadata. • Reserved claims: A set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Examples: iss (issuer), exp (expiration time), sub (subject), aud (audience) • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace. • Private claims: These are the custom claims created to share information between parties that agree on using them.
- 24. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2 QT4fwpMeJf36POk6yJV_adQssw5c JWT Structure :Signature xxxxxxx.yyyyyyy.zzzzzzz • Take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign it. • The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. • For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
- 25. What a SignedToken will Look Like jwt.io
- 26.
- 27. Tokens By Reference ByValue SESSIONID = 42 JWT= h432121.hso33jl.iwoe
- 28. Use case JWT forAPI Authentication/Authorization
- 29.
- 30. Security Concern The leakageof sensitive information • the payload is transmitted in plaintext, information leakage occurs if there is sensitive information in the payload • eg. • Credentials • internal IP addresses through the tokens.
- 31. Security Concern Weak algorithmsfor signature JWT Signing Algorithms The most common algorithms for signing JWTs are: HMAC + SHA256 (HS256) RSASSA-PKCS1-v1_5 + SHA256 (RS256) ECDSA + P-256 + SHA256 ( ES256)
- 32. Security Concern Weak Secret/ Brute-Forcing HS256 • conduct offline brute-force attacks against the token by using wordlists of possible secret-keys • It is recommended to use sufficiently long (256 bit) keys to safeguard against these attacks. Please note the RFC7518 standard states that "A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm." Tools : jwt-cracker
- 33. Security Concern Not Verifyingthe Algorithm - Signature Stripping attack Modify the algorithm to none • Some JWT libraries support the none algorithm, that is, no signature algorithm. • When the alg is none, the backend will not perform signature verification. • After changing alg to none, remove the signature data from the JWT (only header + ‘.’ + payload + ‘.’) and submit it to the server.
- 34. Security Concern Not Verifyingthe Algorithm - Signature Stripping attack Modify the algorithm to none eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0 NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2Mj M5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQ ssw5c eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0 NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2Mj M5MDIjkl. //header { alg: ‘HS256’ } //payload { sub: '123', name: ‘ahmed ali’, admin: 'false' } //header { alg: 'none' } //payload { sub: '123', name: ‘ahmed ali’, admin: 'true' }
- 35. Security Concern Not Verifyingthe Algorithm - Signature Stripping attack Modify the algorithm to none CVE-2018–1000531 - INVERSOFT PRIME-JWT Most of the modern implementations now have an added security check that rejects tokens set with ‘none’ algorithm when a secret-key was used to issue them. If you receive a JWT with an unexpected algorithm, type header, etc, discard it, and stop right there.
- 36. Security Concern Changing thealgorithm from RS256 to HS256 • The algorithm HS256 uses a secret key to sign and verify each message. • The algorithm RS256 uses a private key to sign messages, and a public key to verify them. • If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. Consider the following example code, which could be present at the server: jwt = JWT.decode(token, public_key) signing our own token using HS256 with the public key of the RS256 algorithm The backend code uses the RSA public key + HS256 algorithm for signature verification.
- 37. Security Concern Changing thealgorithm from RS256 to HS256 const decoded = jwt.verify( token, publickRSAKey, { algorithms: ['HS256' , 'RS256'] } //accepted both algorithms ) //header { alg: 'RS256' => 'HS256' } //payload { sub: '123', name: ‘ahmed ali’, admin: 'false' => 'true' } modification that attacker can make:
- 38. Security Concern Changing thealgorithm from RS256 to HS256 openssl s_client -connect <hostname>:443 openssl x509 -in cert.pem -pubkey –noout > key.pem echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU0NzcyOTY2MiwiZXhwIjoxNTQ3Nzk5O Tk5LCJkYXRhIjp7Ik5DQyI6InRlc3QifX0" | openssl dgst -sha256 -mac HMAC -macopt hexkey: 2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b 4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932 323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5 965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574 534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786 f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c50 4c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a 2zobdg7sgeApcEaR9ngMTRZT1dkWiMJOWYkelzQu5Z8
- 39. Security Concern Changing thealgorithm from RS256 to HS256 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdr ZW1wZXIubmxcLyIsImlhdCI6MTU0NzcyOTY2MiwiZXhwIjoxNTQ3Nzk5OTk5LCJkYXRhIjp7Ik5DQ yI6InRlc3QifX0.2zobdg7sgeApcEaR9ngMTRZT1dkWiMJOWYkelzQu5Z8 Resolution 1. Use only one encryption algorithm (if possible) 2. Create different functions to check different algorithms
- 40. Security Concern Reusing thesame key across services • Substitution attack Service #1 Service #2 Jwt1 Jwt2
- 41. Security Concern Reusing thesame key across services • Substitution attack Service #1 Admin:true Service #2 Admin: false Jwt1 Jwt1
- 42. Security Concern Reusing thesame key across services • Substitution attack • Add Audience to payloads • Use different secret for each service //header { alg: ‘HS256' } //payload { sub: '123', name: ‘ahmed ali’, admin: ‘false’, aud: ‘service #1’ } //header { alg: ‘HS256' } //payload { sub: '123', name: ‘ahmed ali’, admin: ‘True’, aud: ‘service #2’ }
- 43.
- 44.