JWT Security: Part 1 - What is a JWT? скачать в хорошем качестве

JWT Security: Part 1 - What is a JWT?

Twitter: @webpwnized Thank you for watching. Please upvote and subscribe. JSON Web Tokens (JWT) are a particular serialized format for user entitlements. With entitlements, the user brings their permissions to the application. The inherent concern with any entitlement, including JWT, is that the entitlement cannot be trusted. JWT can be used securely but requires the application to take several steps to verify the JWT authenticity, session timeout, contents, and signature to protect against replay, forgery, injection attacks, and other security issues. JWT contains their own session timeout which could be longer than safe or already expired. The JWT might be modified by the user, so the JWT must be signed and the application must validate the signature. The signatures should be certificate-based to prevent the signature from forgery. Also, the password-based signatures have other issues. The signature might be broken, the password could be lost, guessed, intercepted, left in a code repository, or otherwise intercepted or given away accidentally. Even if the password is not lost, there is a question of who signed the JWT, so again, use certificate-based signatures to give a higher level of security and authenticity. The fields inside the JWT, or claims, might be accidentally mangled or malicious. The fields have to be validated by the application before being used. Applications can use JWTs but the application has a lot of responsibilities to perform to use JWT safely and securely. OWASP Mutillidae II is a free web application security testing environment that can be used to learn more. OWASP Mutillidae II is available at https://github.com/webpwnized/mutillidae.