SlideShare a Scribd company logo

Understanding JWT Exploitation

Download as PPTX, PDF
A
AkshaeyBhosale

JSON Web Tokens (JWTs) are compact, self-contained tokens used to securely transmit information between parties as JSON objects. JWTs contain a header, payload, and signature. The header typically specifies the token type and signing algorithm being used. The payload contains claims about the user such as username, ID, and expiration time. The signature ensures the token integrity. JWTs are signed using a secret or public/private key pair to authenticate and securely exchange information.

Engineering
1 of 14
Download to read offline
1
2
Most read
3
4
5
Most read
6
Most read
7
8
9
10
11
12
13
14
JSON Web Tokens Akshaey Bhosale(Associate Information Security Analyst) Indusface Pvt Ltd.
What is JSON Web Token?  Compact and Self Contained way for securely transmitting information between parties as JSON object.  JWT are signed using secret HMAC algorithm or public/private key pair using RSA.  JWT’s are base64 encoded.  Used for Authentication and Information exchange.
What is JSON Web Token?  Compact : Because of smaller size JWT’s can be sent through a URL, POST parameter or inside an HTTP Headers. Smaller the size transmission is fast. E.g.,eyJhbGciOBJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG4gZG9lIiwiaWF0IjoxNG YyMjMyNzI2fQ.NnOv-wHAf59L2WMcDlfNsTThOUY1a0JMFNgJIP67mqU  Self Contained : Payload contains all required information of user, avoiding the need to query the database more than once.
JWT Structure  JSON web token consist of three parts separated by dots(.):  Header  Payload  Signature  Therefore JWT typically looks like : Header.Payload.Signature
JWT Structure  Header  Header consist of two parts, token type which is JWT and hashing algorithm being used.  For example:  This is base64 URL encode to form first part of JWT
JWT Structure  Payload  Second part is “payload” which contains the claims.  Reserved  Public  Private
JWT Structure  Reserved Claim : These are set of predefined claims which are not mandatory by recommended. e.g., iss(issuer), exp(expiration time), sub(subject), aud (audience),etc.  Public Claim : These are defined at will by those using JWT’s e.g., User Name, Object Identifier, UUID. {"_id":"5e54ca53ff6a2d1d8474f070","authkey":"3413160f-802e-4824-9b02-a58ec0e39a3c","iv":"7dd45104-e74a-4bb4- aed0-063309489833","iat":1582615160,"exp":1583824820,"jti":"e6bb2ac9a2f04214b62a28135fb005ae"}  Private Claim : These claims are custom generated while transferring information between two parties. e.g., Employee ID, Department Name.
JWT Structure Payload The payload is then base64 URL encoded to form the second part of JWT.
JWT Structure  Signature  To create signature we have to take encoded header, encoded payload, a secret and algorithm specified in the header and sign that.  Signature provides integrity to ensure that the message wasn’t change along the way.  For example if you want to use HMAC SHA256 algorithm, the signature will be created in following way.
Point To Remember  If we add “Authorization : Bearer <token>” in headers, user will be allowed to access protected resources.  If token Sent with Authorization, CORS won’t be an issue.
Lets see it in practical way!!!!
References  https://jwt.io  http://self-issued.info/docs/draft-jones-json-web-token-01.html  https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
Any Queries?
Thank You

More Related Content

What's hot (20)

PDF
JSON Web Token
Deddy Setyadi
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PDF
[OPD 2019] Attacking JWT tokens
OWASP
 
PPTX
REST API 설계
Terry Cho
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PPTX
Json web tokens
ElieHannouch
 
PDF
OAuth
Iván Fernández Perea
 
PPTX
Rest API Security
Stormpath
 
PPTX
Web API authentication and authorization
Chalermpon Areepong
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PPTX
API Security : Patterns and Practices
Prabath Siriwardena
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PPTX
Injection flaws
DANISH INAMDAR
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
JSON Web Token
Deddy Setyadi
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
[OPD 2019] Attacking JWT tokens
OWASP
 
REST API 설계
Terry Cho
 
An Introduction to OAuth 2
Aaron Parecki
 
Json web tokens
ElieHannouch
 
OAuth
Iván Fernández Perea
 
Rest API Security
Stormpath
 
Web API authentication and authorization
Chalermpon Areepong
 
Introduction to OpenID Connect
Nat Sakimura
 
Attacking thru HTTP Host header
Sergey Belov
 
API Security : Patterns and Practices
Prabath Siriwardena
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Injection flaws
DANISH INAMDAR
 
OAuth 2.0
Uwe Friedrichsen
 
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Demystifying OAuth 2.0
Karl McGuinness
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OAuth2 - Introduction
Knoldus Inc.
 
Pentesting ReST API
Nutan Kumar Panda
 

Similar to Understanding JWT Exploitation (20)

PPTX
JWT_Presentation to show how jwt is better then session based authorization
nathakash343
 
PPTX
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
SohailCreation
 
PDF
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
PDF
Autenticação com Json Web Token (JWT)
Ivan Rosolen
 
PPTX
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
nagarajapallafl
 
PDF
Jwt
Frank Linehan
 
PDF
Landscape
Amit Gupta
 
PDF
Landscape
Amit Gupta
 
PDF
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
PDF
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
PDF
Jwt the complete guide to json web tokens
remayssat
 
PPTX
jwt.pptx
Maleerat Maliyaem
 
PDF
JSON Web Tokens Will Improve Your Life
John Anderson
 
PDF
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Luciano Mammino
 
PDF
Angular - Chapter 9 - Authentication and Authorization
WebStackAcademy
 
PPTX
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
PDF
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
PDF
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...
Luciano Mammino
 
PDF
Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
Codemotion
 
PPTX
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
JWT_Presentation to show how jwt is better then session based authorization
nathakash343
 
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
SohailCreation
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Autenticação com Json Web Token (JWT)
Ivan Rosolen
 
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
nagarajapallafl
 
Jwt
Frank Linehan
 
Landscape
Amit Gupta
 
Landscape
Amit Gupta
 
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
Jwt the complete guide to json web tokens
remayssat
 
jwt.pptx
Maleerat Maliyaem
 
JSON Web Tokens Will Improve Your Life
John Anderson
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Luciano Mammino
 
Angular - Chapter 9 - Authentication and Authorization
WebStackAcademy
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...
Luciano Mammino
 
Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
Codemotion
 
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
Ad

Recently uploaded (20)

PDF
Halide Perovskites’ Multifunctional Properties: Coordination Engineering, Coo...
TaameBerhe2
 
PPTX
MODULE 04 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
PDF
methodology-driven-mbse-murphy-july-hsv-huntsville6680038572db67488e78ff00003...
henriqueltorres1
 
PPTX
Mechanical Design of shell and tube heat exchangers as per ASME Sec VIII Divi...
shahveer210504
 
PDF
REINFORCEMENT LEARNING IN DECISION MAKING SEMINAR REPORT
anushaashraf20
 
PPTX
GitOps_Without_K8s_Training_detailed git repository
DanialHabibi2
 
PPTX
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
PPTX
2025 CGI Congres - Surviving agile v05.pptx
Derk-Jan de Grood
 
PPT
New_school_Engineering_presentation_011707.ppt
VinayKumar304579
 
PDF
Design Thinking basics for Engineers.pdf
CMR University
 
PPTX
OCS353 DATA SCIENCE FUNDAMENTALS- Unit 1 Introduction to Data Science
A R SIVANESH M.E., (Ph.D)
 
PDF
Submit Your Papers-International Journal on Cybernetics & Informatics ( IJCI)
IJCI JOURNAL
 
PPTX
MODULE 03 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
PDF
mbse_An_Introduction_to_Arcadia_20150115.pdf
henriqueltorres1
 
PPTX
Water Resources Engineering (CVE 728)--Slide 3.pptx
mohammedado3
 
PPTX
Knowledge Representation : Semantic Networks
Amity University, Patna
 
PDF
SERVERLESS PERSONAL TO-DO LIST APPLICATION
anushaashraf20
 
PPTX
美国电子版毕业证南卡罗莱纳大学上州分校水印成绩单USC学费发票定做学位证书编号怎么查
Taqyea
 
PPTX
fatigue in aircraft structures-221113192308-0ad6dc8c.pptx
aviatecofficial
 
PPTX
How Industrial Project Management Differs From Construction.pptx
jamespit799
 
Halide Perovskites’ Multifunctional Properties: Coordination Engineering, Coo...
TaameBerhe2
 
MODULE 04 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
methodology-driven-mbse-murphy-july-hsv-huntsville6680038572db67488e78ff00003...
henriqueltorres1
 
Mechanical Design of shell and tube heat exchangers as per ASME Sec VIII Divi...
shahveer210504
 
REINFORCEMENT LEARNING IN DECISION MAKING SEMINAR REPORT
anushaashraf20
 
GitOps_Without_K8s_Training_detailed git repository
DanialHabibi2
 
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
2025 CGI Congres - Surviving agile v05.pptx
Derk-Jan de Grood
 
New_school_Engineering_presentation_011707.ppt
VinayKumar304579
 
Design Thinking basics for Engineers.pdf
CMR University
 
OCS353 DATA SCIENCE FUNDAMENTALS- Unit 1 Introduction to Data Science
A R SIVANESH M.E., (Ph.D)
 
Submit Your Papers-International Journal on Cybernetics & Informatics ( IJCI)
IJCI JOURNAL
 
MODULE 03 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
mbse_An_Introduction_to_Arcadia_20150115.pdf
henriqueltorres1
 
Water Resources Engineering (CVE 728)--Slide 3.pptx
mohammedado3
 
Knowledge Representation : Semantic Networks
Amity University, Patna
 
SERVERLESS PERSONAL TO-DO LIST APPLICATION
anushaashraf20
 
美国电子版毕业证南卡罗莱纳大学上州分校水印成绩单USC学费发票定做学位证书编号怎么查
Taqyea
 
fatigue in aircraft structures-221113192308-0ad6dc8c.pptx
aviatecofficial
 
How Industrial Project Management Differs From Construction.pptx
jamespit799
 
Ad

Understanding JWT Exploitation

  • 1. JSON Web Tokens Akshaey Bhosale(Associate Information Security Analyst) Indusface Pvt Ltd.
  • 2. What is JSON Web Token?  Compact and Self Contained way for securely transmitting information between parties as JSON object.  JWT are signed using secret HMAC algorithm or public/private key pair using RSA.  JWT’s are base64 encoded.  Used for Authentication and Information exchange.
  • 3. What is JSON Web Token?  Compact : Because of smaller size JWT’s can be sent through a URL, POST parameter or inside an HTTP Headers. Smaller the size transmission is fast. E.g.,eyJhbGciOBJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG4gZG9lIiwiaWF0IjoxNG YyMjMyNzI2fQ.NnOv-wHAf59L2WMcDlfNsTThOUY1a0JMFNgJIP67mqU  Self Contained : Payload contains all required information of user, avoiding the need to query the database more than once.
  • 4. JWT Structure  JSON web token consist of three parts separated by dots(.):  Header  Payload  Signature  Therefore JWT typically looks like : Header.Payload.Signature
  • 5. JWT Structure  Header  Header consist of two parts, token type which is JWT and hashing algorithm being used.  For example:  This is base64 URL encode to form first part of JWT
  • 6. JWT Structure  Payload  Second part is “payload” which contains the claims.  Reserved  Public  Private
  • 7. JWT Structure  Reserved Claim : These are set of predefined claims which are not mandatory by recommended. e.g., iss(issuer), exp(expiration time), sub(subject), aud (audience),etc.  Public Claim : These are defined at will by those using JWT’s e.g., User Name, Object Identifier, UUID. {"_id":"5e54ca53ff6a2d1d8474f070","authkey":"3413160f-802e-4824-9b02-a58ec0e39a3c","iv":"7dd45104-e74a-4bb4- aed0-063309489833","iat":1582615160,"exp":1583824820,"jti":"e6bb2ac9a2f04214b62a28135fb005ae"}  Private Claim : These claims are custom generated while transferring information between two parties. e.g., Employee ID, Department Name.
  • 8. JWT Structure Payload The payload is then base64 URL encoded to form the second part of JWT.
  • 9. JWT Structure  Signature  To create signature we have to take encoded header, encoded payload, a secret and algorithm specified in the header and sign that.  Signature provides integrity to ensure that the message wasn’t change along the way.  For example if you want to use HMAC SHA256 algorithm, the signature will be created in following way.
  • 10. Point To Remember  If we add “Authorization : Bearer <token>” in headers, user will be allowed to access protected resources.  If token Sent with Authorization, CORS won’t be an issue.
  • 11. Lets see it in practical way!!!!