Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to mess up with JWT's - a practitioner's guide

Wekoslav Stefanovski
October 20, 2023
Programming
0
49

How to mess up with JWT's - a practitioner's guide

JSON Web Tokens are everywhere - you are using a bunch of them right now. It's such a common technology, yet, it's very easy to get them wrong. In this session, we get to the nitty gritty of JWT's - what they are, how they work, and how to make sure that we haven't made an app that just waits to be hacked. The session's goal is to make developers aware of the pitfalls accompanying JWT's by telling some personal stories of cases where JWT's were used improperly. In my experience, such improper usage is extremely commonplace and JWT's are associated with magical thinking, i.e. "I'm using JWT's and I'm secure" The key take-away of the talk should be that JWT's are a great tool that should be used carefully, with full understanding of what it can and cannot do.

Wekoslav Stefanovski

October 20, 2023
Tweet

More Decks by Wekoslav Stefanovski

See All by Wekoslav Stefanovski
How to Mess up JWTs: A Practioner's Guide
sweko
0
18
Who are you? OIDC Authentication with AWS Cognito - The good, the bad and the ugly
sweko
0
10
Make you a redux for fun and profit
sweko
0
75
Why JavaScript when you can see sharp?
sweko
0
99

Other Decks in Programming

See All in Programming
CREってこういうこと? 体験入社 - 提案資料 - / what-is-cre-trial-employment
shinden
1
580
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
490
Fast JSX: Don't clone props object #28768
yossydev
1
220
Ruby on Fails - effective error handling with Rails conventions
talyssonoc
0
210
Powerfully Typed TypeScript
euxn23
1
220
Sheets API使ってみた
toshi0383
2
170
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
150
Ruby Function Composition
bkuhlmann
1
340
ペパボOpenTelemetry革命
pyama86
2
180
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
710
業務ツールとして使うPostman
msys75
0
120
ts-morphを使ってコードリプレイスとASTへのハードルを下げる!
nyawach
2
100

Featured

See All Featured
The Mythical Team-Month
searls
217
42k
Navigating Team Friction
lara
179
13k
Music & Morning Musume
bryan
41
5.6k
Web Components: a chance to create the future
zenorocha
306
41k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
In The Pink: A Labor of Love
frogandcode
138
21k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Designing the Hi-DPI Web
ddemaree
276
33k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
A designer walks into a library…
pauljervisheath
201
23k

Transcript

  1. How To Mess Up JWTs A Practitioner's Guide Wekoslav Stefanovski

    - @swekster

  2. Who Am I? • Head of development at Sourcico, Macedonia

    • Coding professionally since last century • C# / .net • JavaScript / TypeScript • I love programming, I love programmers @swekster

  3. Why me? • I love authorization • I can stand

    authentication • Many different clients across the decades • I’ve made lots of authentication mistakes • I’ve seen even more @swekster

  4. Agenda • What are little JWT’s made of? • How

    to mess up using them • How to mess up the security • How to mess up performance @swekster

  5. What are JWT’s? @swekster • JWT’s are NOT magic •

    Encoded text (usually not encrypted) • The text is a piece of JSON data • A Header • A Payload • A Signature (or is there?)

  6. How are they usually used? @swekster • Generated on some

    kind of server • Sent to the client • Communicated from the client • Verified on the server • No magic required

  7. 0. Using Sensitive Data inside a JWT @swekster • Because

    JWT’s are not magic, any data that we set in the token is user-accessible • If the token is stolen, any and all PII will be available to the attacker • Even if the token is used by the regular user, there might be system- sensitive data that we don’t want the user to see

  8. 1. Failing to validate JWT’s @swekster • JWT’s are not

    magic • Validation can be cryptographically expensive • It might not be called because of bad code practices • Not a scenario that is often covered by tests

  9. 2. Validate JWT’s badly @swekster • JWT’s are not magic

    • Different algorithm from the one we sent out • No algorithm at all • Different key from the one we sent out • Library issues

  10. 3. Bloating the JWT’s @swekster • JWT’s are not magic

    • Token are used as headers or cookies • Transmitted on each and every call from the client • Network performance hit • Decoding and verifying performance hit • Possible truncation and weird behaviours

  11. 4. Messing up JWT expiration @swekster • JWT’s are not

    magic • Expired token validation • Tokens that are too long lived • Tokens that do not get refreshed

  12. 5. Implementing Stateless State @swekster • JWT’s are not magic,

    and neither is the stateless web • No such thing as stateless auth • Using both JWT and stored session state • Using signing keys as state

  13. @swekster Question? Comments? Complaints?

  14. Contact Info • Email: [email protected] • Twitter: @swekster • Youtube:

    https://www.youtube.com/@swekster • Linked In: https://www.linkedin.com/in/swekster/ • Sources and Presentation: https://github.com/sweko/apicon-jwt @swekster