SlideShare ist ein Scribd-Unternehmen logo
1 von 40
Downloaden Sie, um offline zu lesen
Are You Properly Using JWTs?
Philippe Leothaud, CTO and Founder
SLIDE
2
© COPYRIGHT 42CRUNCH
Phil Leothaud
CTO and Founder
42Crunch
Kristin Davis
Head of Marketing
42Crunch
SLIDE
3
© COPYRIGHT 42CRUNCH
What are JWTs The crypto behind it
SLIDE
4
© COPYRIGHT 42CRUNCH
Why do we need
tokens?
User Client App Identity Provider Your API/Resource
7Validate Authorization Code + Client ID + Client Secret
3
Redirect to login/authorization prompt
5
Authorization Code
8
Access Token
1
Click login link
4
Authenticate and Consent
9
Request user data with access token
10
Response
2
Authentication Code Request to / authorize
6
Authorization Code + Client ID + Secret to /oauth/token
SLIDE
5
© COPYRIGHT 42CRUNCH
What are JWTs
• JWTs (RFC 7519) are a convenient way to transport over HTTP base64-URL encoded
claims across parties in JSON format.
• Claims in a JWT are encoded as a JSON object that is used as the payload of a JSON
Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE)
structure.
• They are easy to use, supported by many libraries in more or less all programming
langages, and therefore pervasive.
SLIDE
6
Tokens can be anything
ec9f8fbb-a357-4fb6-a6af-de6ce54fb3d2
SLIDE
7
© COPYRIGHT 42CRUNCH
{
"user":“elmer@foodbeat.com",
"is_admin":false,
"twitter":"elmer.foodbeat",
"iss":1579551140,
"exp":1579551740
}
Why JSON Web Tokens?
• Transported info right in the token
• No need for shared databases
• No extra API calls
• JSON is easy to use in code
SLIDE
8
© COPYRIGHT 42CRUNCH
Common Use Cases
• OAuth2
• OpenID Connect id_token
• Any JSON payload that needs to
be protected and sent
SLIDE
9
© COPYRIGHT 42CRUNCH
POST /book HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: resource.catalog.library
Authorization: Bearer
IUojlkoiaos298jkkdksdosiduIUiopo
{
"isbn":"9780201038019",
"author":"Donald Knuth",
"title":"The Art of Computer
Programming"
}
Tokens are Encoded
• To pass them in URLs and
headers
• Base64URL encoding is used
• Encoding != signing
• Encoding != encryption
SLIDE
10
© COPYRIGHT 42CRUNCH
How do you know that
the token is from a
specific source?
• They are signed/encrypted
• In AuthN scenarios IdP signs
the new token:
1. Calculates signature
2. Appends it to token
• Client passes the token to
resource as is
• Resource verifies the signature
User Client App Identity Provider Your API/Resource
7Validate Authorization Code + Client ID + Client Secret
3
Redirect to login/authorization prompt
5
Authorization Code
8
Access Token
1
Click login link
4
Authenticate and Consent
9
Request user data with access token
10
Response
2
Authentication Code Request to / authorize
6
Authorization Code + Client ID + Secret to /oauth/token
SLIDE
11
© COPYRIGHT 42CRUNCH
(some) JOSE Header Parameters
• alg: the signing algorithm (used even when JWT is encrypted!). Can be none, RS256, HS256, … - full list in
RFC7518
• enc: the Key encryption algorithm when using encryption
• jku: URI to a set of JSON-encoded public keys one of which corresponds to the key used to sign the token
• jwk: public key corresponding to the one used to sign the token
• kid: hint indicating which key was used
• x5u: URI for X.509 public key certificate or certificate chain
• x5c: X.509 public key certificate or certificate chain
• x5t: encoded SHA-1 thumbprint / digest of the DER encoding of X.509 certificate
• x5t#S256: SHA-256 thumbprint
• … and some more -> See RFCs from 7515 to 7519 ;-)
SLIDE
12
© COPYRIGHT 42CRUNCH
Signing Process
1. Create JOSE header
2. Encode it
3. Create payload (does not have to
be JSON)
4. Encode it too
5. Concatenate with . in between
6. Compute signature using alg
7. Base64URL-encode and append
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV
CJ9.eyJ1c2VyIjoiZG1pdHJ5QDQyY3J1b
mNoLmNvbSIsImlzX2FkbWluIjpmYWxzZS
widHdpdHRlciI6IkRTb3RuaWtvdiIsIml
zcyI6MTU3OTU1MTE0MCwiZXhwIjoxNTc5
NTUxNzQwfQ.n34z-LWu4INXl8-Cgac-
Ues7r99xgbt_A4aHuCAZRLU
SLIDE
13
© COPYRIGHT 42CRUNCH
Attacks and how to prevent
SLIDE
14
An API should not blindly trust
anything it receives from the client.
SLIDE
15
© COPYRIGHT 42CRUNCH
None Algorithm Attack
1. Attacker modifies or creates a
token
{
"alg": "HS256",
"typ": "JWT"
}.
{
"user":"elmer@foodbeat.com",
"is_admin":false
}.
X0Wglk3qxprPLVTw2cYzuwEcJEEfED2F5Xgm
TdQFY7A
SLIDE
16
© COPYRIGHT 42CRUNCH
None Algorithm Attack
1. Attacker modifies or creates a
token
{
"alg": "HS256",
"typ": "JWT"
}.
{
"user":"elmer@foodbeat.com",
"is_admin":true
}.
X0Wglk3qxprPLVTw2cYzuwEcJEEfED2F5Xgm
TdQFY7A
SLIDE
17
© COPYRIGHT 42CRUNCH
None Algorithm Attack
1. Attacker modifies or creates a
token
2. They set alg to None in the
header
3. And send it without a signature
4. Since alg is None, this is a
valid JWS
{
"alg": "None",
"typ": "JWT"
}.
{
"user":"elmer@foodbeat.com",
"is_admin":true
}.
eyJhbGciOiAiTm9uZSIsCiAgInR5cCI6ICJK
V1QifQ.
eyJ1c2VyIjoiZG1pdHJ5QDQyY3J1bmNoLmNv
bSIsImlzX2FkbWluIjp0cnVlfQ.
SLIDE
18
© COPYRIGHT 42CRUNCH
{
"alg" : "RS256",
"typ" : "JWT“
}.
{
"user":“elmer@foodbeat.com",
"is_admin":false
}.
RSA signature with RSA private key
Changed to:
{
"alg" : “HS256",
"typ" : "JWT“
}.
{
"user":“elmer@foodbeat.com",
"is_admin":true
}.
HMAC signature with RSA public key
HMAC Algorithm Attack
• HMAC is symmetric: same shared
key used to sign & verify
• RSA is asymmetric: public & private
keys
• Attacker:
1. Puts HS256 instead of RS256
2. Signs with public RS256 key
• API code blindly uses public RSA key
with HMAC alg to verify signature
SLIDE
19
© COPYRIGHT 42CRUNCH
Lack of Signature Validation
1. Developers may not validate signature at all
2. They blindly trust the signature passed in the header
3. For nested JWTs, signature must be validated at each level
SLIDE
20
© COPYRIGHT 42CRUNCH
signature = HMAC-
SHA256(base64urlEncode(header) +
'.' + base64urlEncode(payload),
"qwerty")
Bruteforce Attack on
Signature
1. Developers use a low entropy key
2. Attackers intercept a valid token
3. They now know the alg and have a token
with valid signature
4. They can run a dictionary attack figure
out the key
5. Once the signature matches they know
your key and can forge tokens
SLIDE
21
© COPYRIGHT 42CRUNCH
Leaked Keys
• Source code repos
• Directory traversals
• XXE
• SSRF
SLIDE
22
© COPYRIGHT 42CRUNCH
{
"alg" : "HS256",
"typ" : "JWT",
"kid" : "secret/hmac.key“
}
change to:
{
"alg" : "HS256",
"typ" : "JWT",
"kid" : "../../styles/site.css“
}
kid as a file path
1. Developers use a filepath for the key
2. Developers do not sanitize the value
3. Attackers specify any valid path with
known content
4. They use symmetric alg and that
known content
SLIDE
23
© COPYRIGHT 42CRUNCH
Unsafe SQL retrieval:
SELECT Key WHERE ("key = ${kid}")
Attack value:
"kid": "blah' UNION SELECT 'key';--"
kid with SQL Injection
1. Developers use unsafe code to
retrieve key from database
2. Attackers supply invalid key ID with
a SQL injection resulting in known
result
SLIDE
24
© COPYRIGHT 42CRUNCH
File.open(key_filename), system(),
exec(), etc.
{
"kid":"'filename' | whoami;“
}
Command Injection
1. Developers use header parameter as
a filename and unsafe operation to
read the file
2. Attackers send an injection string
and get their commands executed
on the server
SLIDE
25
© COPYRIGHT 42CRUNCH
Substitution Attack:
Different Recipient
• Attacker gets a valid token for one
organization / resource and uses it with
another
• To prevent this, make each token
specific to the issuer, subject, resource:
• iss: URL of the IdP
• sub: to whom it was issued
• aud: audience for the token
Authorization
Server
Org. 1
Used
by
Used
by
Derived from
Issues
Token
forOrg.1
{
“sub”: “joe”
“role”: “admin”
}
Normaluse
M
alicioususe
Private Signing Key Public Signing Key
Org. 2
Used
by
Attacker (Joe)
Gets
Valid
Token
forOrg.1
SLIDE
26
© COPYRIGHT 42CRUNCH
Substitution Attack:
Cross JWT
• Lack of exact matching within the same
organization
• E.g. check for "aud": "myorg/*" instead of
"aud":"myorg/finance-ops"
• Can also happen in multitenancy, site
hosting, or any subdomains with any
user content
• Use exact matching to protect yourself
Used
by
Used
by
Derived from
{
“sub”: “joe”
“role”: “write”
}
Normaluse
M
alicioususe
Private Signing Key Public Signing Key
Finance Ops
Used
by
Attacker (Joe)
Mail Server
Issues Token
for Mail Server
SLIDE
27
© COPYRIGHT 42CRUNCH
{
"user":"elmer@foodbeat.com",
"is_admin":false,
"iss":1579551140,
"exp":1579551740
}
Intercept and Reuse
• Attacker gets a hold of the token
• Since this is a bearer token with no
time limits – they just keep using it
as long as they want
• Set short time limits: exp, nbf
• Set minimal scopes
• Tie JWT to a specific client
SLIDE
28
© COPYRIGHT 42CRUNCH
8
Access Token
These Tokens are not
Opaque
• Client actually gets the token
• The tokens are not encrypted
• Rogue client can decode the token and
get valuable info from it:
• PII or other exposed info
• Information about internals
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX
VCJ9.eyJ1c2VyIjoiMTIzNDU2Nzg5MCI
sImlzX2FkbWluIjpmYWxzZSwidHdpdHR
lciI6IkRTb3RuaWtvdiJ9.kIr0UrbBUT
eqZcaUPDDj5USO3mENzNQoENi4xcWYf-
U
{
"user":“elmer@foodbeat.com",
"is_admin":false,
"twitter":“elmer.foodbeat"
}
SLIDE
29
© COPYRIGHT 42CRUNCH
BASE64URL-ENCODE(UTF8(JOSE Header)).
BASE64URL-ENCODE(JWE Encrypted Key).
BASE64URL-ENCODE(Initialization
Vector).
BASE64URL-ENCODE(Cyphertext).
BASE64URL-ENCODE(Authentication Tag)
Solution #1: Encryption
• JOSE header gets 2 extra
parameters:
• enc: algorithm for content encryption
• zip: optional compression algorithm
• Algorithms used provide both
integrity and confidentiality
SLIDE
30
© COPYRIGHT 42CRUNCH
{
"user":“elmer@foodbeat.com",
"is_admin":false,
"twitter":“elmer.foodbeat“
}
{
"sub":"ec9f8fbb-a357-4fb6-
a6af-de6ce54fb3d2"
}
Solution #2: Phantom
Tokens
• Give clients tokens with bare
minimum information
• At the edge, exchange that phantom
token to a full JWT that is only used
within internal, server-side network
APIs &
Microservices
OAuth & OIDC
Clients
Identity Provider
SLIDE
31
© COPYRIGHT 42CRUNCH
Pattern and anti-patterns
SLIDE
32
© COPYRIGHT 42CRUNCH
Is JWT right for you?
• HTTP headers have size limits (~ 8KB)
• Use of JWT can be an overkill
• They are a poor replacement of web
app session tokens:
• Much larger than a cookie
• DB is likely used anyway
• Web frameworks typically load users on
incoming requests anyway
• Cookies are signed and protected anyway
• Caching and other site optimization will
be a better solution than trying to persist
all data and state in a JWT in a cookie
SLIDE
33
© COPYRIGHT 42CRUNCH
Recommendations:
Shared Secrets
• Safely store and retrieve
• Must be complex
• Key sets identified by kid
• Keys required for encrypted
content validation
SLIDE
34
© COPYRIGHT 42CRUNCH
Recommendations:
Keys handling
• Safely store and retrieve
• Key sets identified by kid
• Keys required for encrypted
content validation
• A key should be used for one
and one only algorithm
SLIDE
35
© COPYRIGHT 42CRUNCH
Recommendations:
Internal Traffic and
Encryption
• Keep external tokens opaque
• Internal tokens can carry payloads
• Encrypt sensitive information
SLIDE
36
© COPYRIGHT 42CRUNCH
Recommendations:
Token Validation
• Follow standards for all claims and processes
• Perform Algorithm Verification
• Use Appropriate Algorithms
• Validate All Cryptographic Operations
• Ensure Cryptographic Keys have Sufficient Entropy
• Validate Issuer and Subject
• Use and Validate Audience
• Do Not Trust Received Claims (injections and SSRF
from kid and jku)
SLIDE
37
© COPYRIGHT 42CRUNCH
openapi: "3.0.0"
info:
version: 1.0.0
title: Swagger Petstore
servers:
- url: http://petstore.swagger.io/v1
paths:
/pets:
get:
summary: List all pets
operationId: listPets
tags:
- pets
parameters:
- name: limit
in: query
How much of that can be
externalized?
• OpenAPI Specification provides a
standard machine-readable contract for
APIs
• Includes: paths, operations, payloads,
responses, authentication, scopes
• Can be enforced by API Gateways and
API Firewalls
• JWT policies are not a part of OAS3
SLIDE
38
© COPYRIGHT 42CRUNCH
openapi: "3.0.0"
info:
version: 1.0.0
title: Swagger Petstore
servers:
- url: http://petstore.swagger.io/v1
paths:
/pets:
get:
x-42c-local-strategy:
x-42c-strategy:
protections:
- jwt-validation_0.1:
header.name: x-access-token
jwk.envvar: JWK_PUBLIC_RSA_KEY
authorized.algorithms:
- RS256
- RS384
parameters:
- name: limit
in: query
OpenAPI Security-as-Code
extensions from 42Crunch
• Define JWT server-side validation policies
• Can include any parameters and their
values
• Can be applied across APIs, within a
particular API, to a particular operation
• Can be audited during static code
analysis
• Can be enforced by API Firewalls
SLIDE
39
© COPYRIGHT 42CRUNCH
Additional Resources
• jwt.io
• Phantom tokens
• 42Crunch.com
• APIsecurity.io
THANK YOU
- questions -
Are You Properly Using JWTs? | Philippe Leothaud, CTO| 42crunch.com

Weitere ähnliche Inhalte

Was ist angesagt?

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story42Crunch
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsIsabelle Mauny
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop42Crunch
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns42Crunch
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at ScaleNordic APIs
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...Apigee | Google Cloud
 

Was ist angesagt? (20)

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 
Api security
Api security Api security
Api security
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
 

Ähnlich wie Are You Properly Using JWTs?

[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...YK Chang
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat LandscapesWSO2
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIsrobwinch
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 

Ähnlich wie Are You Properly Using JWTs? (20)

API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIs
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 

Kürzlich hochgeladen

KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Kürzlich hochgeladen (20)

KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

Are You Properly Using JWTs?

  • 1. Are You Properly Using JWTs? Philippe Leothaud, CTO and Founder
  • 2. SLIDE 2 © COPYRIGHT 42CRUNCH Phil Leothaud CTO and Founder 42Crunch Kristin Davis Head of Marketing 42Crunch
  • 3. SLIDE 3 © COPYRIGHT 42CRUNCH What are JWTs The crypto behind it
  • 4. SLIDE 4 © COPYRIGHT 42CRUNCH Why do we need tokens? User Client App Identity Provider Your API/Resource 7Validate Authorization Code + Client ID + Client Secret 3 Redirect to login/authorization prompt 5 Authorization Code 8 Access Token 1 Click login link 4 Authenticate and Consent 9 Request user data with access token 10 Response 2 Authentication Code Request to / authorize 6 Authorization Code + Client ID + Secret to /oauth/token
  • 5. SLIDE 5 © COPYRIGHT 42CRUNCH What are JWTs • JWTs (RFC 7519) are a convenient way to transport over HTTP base64-URL encoded claims across parties in JSON format. • Claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure. • They are easy to use, supported by many libraries in more or less all programming langages, and therefore pervasive.
  • 6. SLIDE 6 Tokens can be anything ec9f8fbb-a357-4fb6-a6af-de6ce54fb3d2
  • 7. SLIDE 7 © COPYRIGHT 42CRUNCH { "user":“elmer@foodbeat.com", "is_admin":false, "twitter":"elmer.foodbeat", "iss":1579551140, "exp":1579551740 } Why JSON Web Tokens? • Transported info right in the token • No need for shared databases • No extra API calls • JSON is easy to use in code
  • 8. SLIDE 8 © COPYRIGHT 42CRUNCH Common Use Cases • OAuth2 • OpenID Connect id_token • Any JSON payload that needs to be protected and sent
  • 9. SLIDE 9 © COPYRIGHT 42CRUNCH POST /book HTTP/1.1 Content-Type: application/json Accept: application/json Host: resource.catalog.library Authorization: Bearer IUojlkoiaos298jkkdksdosiduIUiopo { "isbn":"9780201038019", "author":"Donald Knuth", "title":"The Art of Computer Programming" } Tokens are Encoded • To pass them in URLs and headers • Base64URL encoding is used • Encoding != signing • Encoding != encryption
  • 10. SLIDE 10 © COPYRIGHT 42CRUNCH How do you know that the token is from a specific source? • They are signed/encrypted • In AuthN scenarios IdP signs the new token: 1. Calculates signature 2. Appends it to token • Client passes the token to resource as is • Resource verifies the signature User Client App Identity Provider Your API/Resource 7Validate Authorization Code + Client ID + Client Secret 3 Redirect to login/authorization prompt 5 Authorization Code 8 Access Token 1 Click login link 4 Authenticate and Consent 9 Request user data with access token 10 Response 2 Authentication Code Request to / authorize 6 Authorization Code + Client ID + Secret to /oauth/token
  • 11. SLIDE 11 © COPYRIGHT 42CRUNCH (some) JOSE Header Parameters • alg: the signing algorithm (used even when JWT is encrypted!). Can be none, RS256, HS256, … - full list in RFC7518 • enc: the Key encryption algorithm when using encryption • jku: URI to a set of JSON-encoded public keys one of which corresponds to the key used to sign the token • jwk: public key corresponding to the one used to sign the token • kid: hint indicating which key was used • x5u: URI for X.509 public key certificate or certificate chain • x5c: X.509 public key certificate or certificate chain • x5t: encoded SHA-1 thumbprint / digest of the DER encoding of X.509 certificate • x5t#S256: SHA-256 thumbprint • … and some more -> See RFCs from 7515 to 7519 ;-)
  • 12. SLIDE 12 © COPYRIGHT 42CRUNCH Signing Process 1. Create JOSE header 2. Encode it 3. Create payload (does not have to be JSON) 4. Encode it too 5. Concatenate with . in between 6. Compute signature using alg 7. Base64URL-encode and append eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9.eyJ1c2VyIjoiZG1pdHJ5QDQyY3J1b mNoLmNvbSIsImlzX2FkbWluIjpmYWxzZS widHdpdHRlciI6IkRTb3RuaWtvdiIsIml zcyI6MTU3OTU1MTE0MCwiZXhwIjoxNTc5 NTUxNzQwfQ.n34z-LWu4INXl8-Cgac- Ues7r99xgbt_A4aHuCAZRLU
  • 14. SLIDE 14 An API should not blindly trust anything it receives from the client.
  • 15. SLIDE 15 © COPYRIGHT 42CRUNCH None Algorithm Attack 1. Attacker modifies or creates a token { "alg": "HS256", "typ": "JWT" }. { "user":"elmer@foodbeat.com", "is_admin":false }. X0Wglk3qxprPLVTw2cYzuwEcJEEfED2F5Xgm TdQFY7A
  • 16. SLIDE 16 © COPYRIGHT 42CRUNCH None Algorithm Attack 1. Attacker modifies or creates a token { "alg": "HS256", "typ": "JWT" }. { "user":"elmer@foodbeat.com", "is_admin":true }. X0Wglk3qxprPLVTw2cYzuwEcJEEfED2F5Xgm TdQFY7A
  • 17. SLIDE 17 © COPYRIGHT 42CRUNCH None Algorithm Attack 1. Attacker modifies or creates a token 2. They set alg to None in the header 3. And send it without a signature 4. Since alg is None, this is a valid JWS { "alg": "None", "typ": "JWT" }. { "user":"elmer@foodbeat.com", "is_admin":true }. eyJhbGciOiAiTm9uZSIsCiAgInR5cCI6ICJK V1QifQ. eyJ1c2VyIjoiZG1pdHJ5QDQyY3J1bmNoLmNv bSIsImlzX2FkbWluIjp0cnVlfQ.
  • 18. SLIDE 18 © COPYRIGHT 42CRUNCH { "alg" : "RS256", "typ" : "JWT“ }. { "user":“elmer@foodbeat.com", "is_admin":false }. RSA signature with RSA private key Changed to: { "alg" : “HS256", "typ" : "JWT“ }. { "user":“elmer@foodbeat.com", "is_admin":true }. HMAC signature with RSA public key HMAC Algorithm Attack • HMAC is symmetric: same shared key used to sign & verify • RSA is asymmetric: public & private keys • Attacker: 1. Puts HS256 instead of RS256 2. Signs with public RS256 key • API code blindly uses public RSA key with HMAC alg to verify signature
  • 19. SLIDE 19 © COPYRIGHT 42CRUNCH Lack of Signature Validation 1. Developers may not validate signature at all 2. They blindly trust the signature passed in the header 3. For nested JWTs, signature must be validated at each level
  • 20. SLIDE 20 © COPYRIGHT 42CRUNCH signature = HMAC- SHA256(base64urlEncode(header) + '.' + base64urlEncode(payload), "qwerty") Bruteforce Attack on Signature 1. Developers use a low entropy key 2. Attackers intercept a valid token 3. They now know the alg and have a token with valid signature 4. They can run a dictionary attack figure out the key 5. Once the signature matches they know your key and can forge tokens
  • 21. SLIDE 21 © COPYRIGHT 42CRUNCH Leaked Keys • Source code repos • Directory traversals • XXE • SSRF
  • 22. SLIDE 22 © COPYRIGHT 42CRUNCH { "alg" : "HS256", "typ" : "JWT", "kid" : "secret/hmac.key“ } change to: { "alg" : "HS256", "typ" : "JWT", "kid" : "../../styles/site.css“ } kid as a file path 1. Developers use a filepath for the key 2. Developers do not sanitize the value 3. Attackers specify any valid path with known content 4. They use symmetric alg and that known content
  • 23. SLIDE 23 © COPYRIGHT 42CRUNCH Unsafe SQL retrieval: SELECT Key WHERE ("key = ${kid}") Attack value: "kid": "blah' UNION SELECT 'key';--" kid with SQL Injection 1. Developers use unsafe code to retrieve key from database 2. Attackers supply invalid key ID with a SQL injection resulting in known result
  • 24. SLIDE 24 © COPYRIGHT 42CRUNCH File.open(key_filename), system(), exec(), etc. { "kid":"'filename' | whoami;“ } Command Injection 1. Developers use header parameter as a filename and unsafe operation to read the file 2. Attackers send an injection string and get their commands executed on the server
  • 25. SLIDE 25 © COPYRIGHT 42CRUNCH Substitution Attack: Different Recipient • Attacker gets a valid token for one organization / resource and uses it with another • To prevent this, make each token specific to the issuer, subject, resource: • iss: URL of the IdP • sub: to whom it was issued • aud: audience for the token Authorization Server Org. 1 Used by Used by Derived from Issues Token forOrg.1 { “sub”: “joe” “role”: “admin” } Normaluse M alicioususe Private Signing Key Public Signing Key Org. 2 Used by Attacker (Joe) Gets Valid Token forOrg.1
  • 26. SLIDE 26 © COPYRIGHT 42CRUNCH Substitution Attack: Cross JWT • Lack of exact matching within the same organization • E.g. check for "aud": "myorg/*" instead of "aud":"myorg/finance-ops" • Can also happen in multitenancy, site hosting, or any subdomains with any user content • Use exact matching to protect yourself Used by Used by Derived from { “sub”: “joe” “role”: “write” } Normaluse M alicioususe Private Signing Key Public Signing Key Finance Ops Used by Attacker (Joe) Mail Server Issues Token for Mail Server
  • 27. SLIDE 27 © COPYRIGHT 42CRUNCH { "user":"elmer@foodbeat.com", "is_admin":false, "iss":1579551140, "exp":1579551740 } Intercept and Reuse • Attacker gets a hold of the token • Since this is a bearer token with no time limits – they just keep using it as long as they want • Set short time limits: exp, nbf • Set minimal scopes • Tie JWT to a specific client
  • 28. SLIDE 28 © COPYRIGHT 42CRUNCH 8 Access Token These Tokens are not Opaque • Client actually gets the token • The tokens are not encrypted • Rogue client can decode the token and get valuable info from it: • PII or other exposed info • Information about internals eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX VCJ9.eyJ1c2VyIjoiMTIzNDU2Nzg5MCI sImlzX2FkbWluIjpmYWxzZSwidHdpdHR lciI6IkRTb3RuaWtvdiJ9.kIr0UrbBUT eqZcaUPDDj5USO3mENzNQoENi4xcWYf- U { "user":“elmer@foodbeat.com", "is_admin":false, "twitter":“elmer.foodbeat" }
  • 29. SLIDE 29 © COPYRIGHT 42CRUNCH BASE64URL-ENCODE(UTF8(JOSE Header)). BASE64URL-ENCODE(JWE Encrypted Key). BASE64URL-ENCODE(Initialization Vector). BASE64URL-ENCODE(Cyphertext). BASE64URL-ENCODE(Authentication Tag) Solution #1: Encryption • JOSE header gets 2 extra parameters: • enc: algorithm for content encryption • zip: optional compression algorithm • Algorithms used provide both integrity and confidentiality
  • 30. SLIDE 30 © COPYRIGHT 42CRUNCH { "user":“elmer@foodbeat.com", "is_admin":false, "twitter":“elmer.foodbeat“ } { "sub":"ec9f8fbb-a357-4fb6- a6af-de6ce54fb3d2" } Solution #2: Phantom Tokens • Give clients tokens with bare minimum information • At the edge, exchange that phantom token to a full JWT that is only used within internal, server-side network APIs & Microservices OAuth & OIDC Clients Identity Provider
  • 32. SLIDE 32 © COPYRIGHT 42CRUNCH Is JWT right for you? • HTTP headers have size limits (~ 8KB) • Use of JWT can be an overkill • They are a poor replacement of web app session tokens: • Much larger than a cookie • DB is likely used anyway • Web frameworks typically load users on incoming requests anyway • Cookies are signed and protected anyway • Caching and other site optimization will be a better solution than trying to persist all data and state in a JWT in a cookie
  • 33. SLIDE 33 © COPYRIGHT 42CRUNCH Recommendations: Shared Secrets • Safely store and retrieve • Must be complex • Key sets identified by kid • Keys required for encrypted content validation
  • 34. SLIDE 34 © COPYRIGHT 42CRUNCH Recommendations: Keys handling • Safely store and retrieve • Key sets identified by kid • Keys required for encrypted content validation • A key should be used for one and one only algorithm
  • 35. SLIDE 35 © COPYRIGHT 42CRUNCH Recommendations: Internal Traffic and Encryption • Keep external tokens opaque • Internal tokens can carry payloads • Encrypt sensitive information
  • 36. SLIDE 36 © COPYRIGHT 42CRUNCH Recommendations: Token Validation • Follow standards for all claims and processes • Perform Algorithm Verification • Use Appropriate Algorithms • Validate All Cryptographic Operations • Ensure Cryptographic Keys have Sufficient Entropy • Validate Issuer and Subject • Use and Validate Audience • Do Not Trust Received Claims (injections and SSRF from kid and jku)
  • 37. SLIDE 37 © COPYRIGHT 42CRUNCH openapi: "3.0.0" info: version: 1.0.0 title: Swagger Petstore servers: - url: http://petstore.swagger.io/v1 paths: /pets: get: summary: List all pets operationId: listPets tags: - pets parameters: - name: limit in: query How much of that can be externalized? • OpenAPI Specification provides a standard machine-readable contract for APIs • Includes: paths, operations, payloads, responses, authentication, scopes • Can be enforced by API Gateways and API Firewalls • JWT policies are not a part of OAS3
  • 38. SLIDE 38 © COPYRIGHT 42CRUNCH openapi: "3.0.0" info: version: 1.0.0 title: Swagger Petstore servers: - url: http://petstore.swagger.io/v1 paths: /pets: get: x-42c-local-strategy: x-42c-strategy: protections: - jwt-validation_0.1: header.name: x-access-token jwk.envvar: JWK_PUBLIC_RSA_KEY authorized.algorithms: - RS256 - RS384 parameters: - name: limit in: query OpenAPI Security-as-Code extensions from 42Crunch • Define JWT server-side validation policies • Can include any parameters and their values • Can be applied across APIs, within a particular API, to a particular operation • Can be audited during static code analysis • Can be enforced by API Firewalls
  • 39. SLIDE 39 © COPYRIGHT 42CRUNCH Additional Resources • jwt.io • Phantom tokens • 42Crunch.com • APIsecurity.io
  • 40. THANK YOU - questions - Are You Properly Using JWTs? | Philippe Leothaud, CTO| 42crunch.com