The Hacker's Guide to JWT Security

@yonlabs#jfokus #jwtsecurity #yonlabs
The Hacker’s Guide
to JWT Security
Patrycja Wegrzynowicz
Yon Labs

About Me
! 20+ professional experience
– Software engineer, researcher,
head of software R&D
! Author and speaker
– JavaOne, Devoxx, JavaZone, …
! Top 10 Women in Tech 2016 PL
! Founder and CTO Yon Labs
– Automated detection and refactoring of
software defects
– Consulting, trainings, code audits
– Security, performance, databases

Agenda
! Introduction to JSON Web Tokens
! Demo
– 4 demos
– Problems: RFC, algorithms, implementations, applications
! Best practices

The First Caveat of JWT…
How to pronounce JWT?

RFC 7519, JSON Web Token
source: https://tools.ietf.org/html/rfc7519

JSON Web Token
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIiwiaWF0IjoxNTczMDk2NT
U4LCJpc3MiOiJqd3QtZGVtbyIsImV4cCI6MTU3NTY4ODU1OH
0.wf50qNmdWNSw2e3OeAvjUdH50hX4ak6S47nh7VNn6Vk

JSON Web Token
source: https://jwt.io
BASE64URL

HTTP Request with JSON Web Token

Demo #1
None Algorithm

Demo #1, None Algorithm
NO SIGNATURE

io.jsonwebtoken
parseClaimsJws

Another Library with None Problem
! National Vulnerability Database
source: https://nvd.nist.gov/vuln/detail/CVE-2018-1000531

Demo #1, None Algorithm, Problems
! RFC problem
– none available
! Implementation problem
– Libraries and their APIs
! Application developers’ problem
– Know your tools

Library API Problem
! Examples
– parse vs. parseClaimsJws
– decode vs. verify
! Best practices
– Understand your JWT library
– Check out NVD
– Require a specific algorithm and a key during verification

Why to Require Algorithm and Key?
! HMAC-SHA signed with RSA public key

HMAC-SHA signed with RSA public key
JWT
Algorithm: RS (asymmetric RSA + SHA)
signed with a server RSA private key
verified with a server RSA public key
server JWT
Changed algorithm: HS (symmetric HMAC + SHA)
signed with a server RSA public key as an HMAC secret
(RSA public keys often available)
verified with a server key (RSA public key used in HMAC)

Why to Require Algorithm and Key?
! Key provided in JWT header (sic!)

Key provided in JWT header (sic!)
JWT
Algorithm: RS (asymmetric)
signed with a server’s RSA private key
verified with a server’s RSA public key
server JWT
Algorithm: RS (asymmetric)
signed with a hacker’s RSA private key
A hacker’s RSA public key provided in a JWT header
verified with a hacker’s RSA public key (!)

Good API Design: auth0:java-jwt

Demo #2
HS256 Password/Key Cracking

Demo #2, hashcat

Demo #2, Problems
! Only one token needed
– No communication with a verification server
– All cracking done offline
– A victim/a system are unaware of the attack
! Weak key problem
! Complications
– Many algorithms
– Different kinds of keys

JWT, Algorithms
! HS Family
– HMAC with SHA
– Symmetric
! RS Family
– RSA with SHA
– Asymmetric
! ES/PS Families
– Elliptic Curves with SHA
– RSA Probabilistic Signature Schema with SHA

JWT, HS Family
! HMAC with SHA
– 256, 384, 512
– Symmetric, shared key
! Key size
– https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-
strong-keys-to-sign-jwts/
– „As a rule of thumb, make sure to pick a shared-key as long as the length of the
hash.”
– HS256 => 32 bytes minimum
! Scalability
– More servers => larger attack surface
– One server compromised => the entire system compromised

JWT, RS Family
! RSA-PKCS1.5 with SHA
– 256, 384, 512
– Asymmetric, public/private keys
! Key size
– https://www.nist.gov (US DoC) recommendation
– 2048 bits => 256 bytes
– 3072 bits for security beyond 2030
! Scalability and performance
– Authentication server/servers => private key
– Verification servers => public key
– The longer key => the slower verification

Demo #3
Packet Sniffing

Demo #3, Problems
! Lack of encryption
– HTTPS
! Token sidejacking
– Stolen tokens can be freely used
– Used as long as they are valid (expiration time!)
– “Replay” attack

Demo #4
XSS to Steal a Token

XSS Attack Vector

Demo #4, Problems and Solutions
! XSS
! No way to block access to a session storage for JS
! Best practices anti-XSS
– Content Security Policy
– Code audits/pen-testing to discover XSS
– Good libraries and smart usage
! Hardened cookie as a storage mechanism for JWT
– No server-side state
– Flags: secure, httpOnly, sameSite
– But… CSRF L

OWASP Token Sidejacking Solution
! https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token
_Cheat_Sheet_for_Java.html
! Fingerprint
– Random secure value
– Hashed and added to JWT claims
– Raw value set as a hardened cookie
! JWT in session storage
! Verification
– Verifies JWT
– Hashes a cookie value
– Verifies if a hashed cookie and JWT fingerprint values are equal

Token Sidejacking Solution:
Fingerprinting with Cookie
JWT
Fingerprint claim: Hash(RANDOM)
server
Stolen JWT
No cookie/no RANDOM available!
Cookie
Fingerprint: raw RANDOM
Verification
JWT verification
Hash(cookie) == Fingerprint claim in JWT

Basic Hygiene: Timeouts and Logouts
! Logouts
– No built-in feature to revoke a
token
– User must be able to explicitly
stop a session
! Timeouts
– No built-in feature to implement
an inactivity timeout
– To avoid re-logging often we use a
long-expiration time Photo by Piron Guillaume on Unsplash

Basic Hygiene: Timeouts and Logouts
! Logouts
– Blacklist/invalidation store on the
server-side
! Timeouts
– Shorter token expiration times
– Accepting re-logging or refreshing
access tokens
STATE

JWT Security

A fool with a tool is only a fool

Continuous Learning

Q&A
! patrycja@yonlabs.com
! @yonlabs

The Hacker's Guide to JWT Security

More Related Content

What's hot (20)

Similar to The Hacker's Guide to JWT Security (20)

More from Patrycja Wegrzynowicz (11)

Recently uploaded (20)

The Hacker's Guide to JWT Security