9.3. JWT

9.3.1. Introduction

Json web token (JWT), is a JSON-based open standard ((RFC 7519) implemented for passing claims between web application environments. The token is designed to be compact and secure, especially for single-use distributed sites. Sign-on (SSO) scenario. The JWT statement is generally used to transfer the authenticated user identity information between the identity provider and the service provider in order to obtain resources from the resource server, and can also add some additional other business logic necessary The claim information, the token can also be used directly for authentication, or it can be encrypted.

9.3.2. Composition

It is divided into three parts, header/payload/signature. where header is the declared type and the algorithm used for encryption. The payload is the payload, and at the end is added HMAC(base64(header)+base64(payload), secret)

9.3.3. Security Issues

9.3.3.1. Header section

• Whether to support modifying the algorithm to none/symmetric encryption algorithm

• delete signature

• insert error message

• Does the kid field have SQL injection/command injection/directory traversal

• Whether the jwk element is credible

• Whether to enforce the use of encryption algorithms on the whitelist

9.3.3.2. Payload section

• Whether there is sensitive information in it

• Check for expiration policies such as exp , iat

9.3.3.3. Signature section

• Check if signature is enforced

• Whether the key can be blasted

• Is there any other way to get the key

9.3.3.4. Others

• replay

• Modify the algorithm RS256 to HS256

• Do a time attack by matching the time of the check

• Weak key cracking

9.3.4. Reference Links

• Critical vulnerabilities in JSON Web Token libraries