Three New Attacks Against JSON Web Tokens

Security

Discover three new attacks against JSON Web Tokens: sign-encrypt confusion, polyglot JWT, and spoofing, and learn how to prevent vulnerabilities with secure algorithms and binding.

Key takeaways
  • JSON Web Tokens (JWTs) are widely used for authentication and authorization, but they have several issues.
  • Three new attacks against JWTs have been discovered: the sign-encrypt confusion attack, the polyglot JWT attack, and the spoofing attack.
  • The sign-encrypt confusion attack occurs when a library signes a token with a public key and then encrypts it with the same key, making it vulnerable to tampering.
  • The polyglot JWT attack takes advantage of ambiguity in JWT specifications, allowing an attacker to create a valid token that can spoof an identity.
  • The spoofing attack allows an attacker to create a token that an application considers valid, but is actually forged.
  • JWT libraries often have default settings that can compromise security.
  • Authentication decisions are typically made based on claims in the token, but these claims can be spoofed.
  • Libraries often have issues with parsing JWTs, which can lead to vulnerabilities.
  • JSON Web Encryption (JWE) can be used to encrypt JWTs, but it’s often used incorrectly.
  • The status quo of using default settings and unauthenticated encryption is vulnerable to attacks.
  • Implementing a secure algorithm and using a binding is recommended.
  • To prevent spoofing attacks, it’s recommended to use a secure algorithm and validate tokens on the server-side.
  • Alternatives such as JSON Object Signing and Encryption (JOSE) and JWE can be used to improve security.
  • Proper configuration and validation are crucial for secure JWT usage.
  • Implementing a secure algorithm and using a binding can prevent vulnerabilities.
  • Libraries should be designed with security in mind.
  • Avoiding default settings and unauthenticated encryption is recommended.
  • To improve security, use a secure algorithm and validate tokens on the server-side.
  • Configuring and validating are crucial for secure JWT usage.

More talks

Serialization: A New Hope by Viktor Klang, Brian Goetz

Best Practices for Making a Wagtail Site as Accessible as Possible with Scott Cranfill

Back to the Roots: Finding the Origin of CSP Security Bugs

Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering

How to create a standardization plan

Unveiling the Cracks in Virtualization, Mastering the Host System--VMware Workstation Escape

Jenny Shen - An upgrade handbook to Rails 8 - Rails World 2024

WordPress Tips And Tricks