Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How exactly does Json Web Token (JWT) reduce the man-in-the loop attack?

Tags:

security

restful-authentication

jwt

I am trying to understand JWT, and surfing various resource on web. I found the code showing how to check whether JWT is tempered -- this is a great one and I understand it.

However, I don't understand how JWT won't be used by a middle-man who can either look at the browser data (think of a public computer in library) or sniff the wire (I guess this can be avoided by HTTPS though) to get the GWT string, and replay from another computer.

https://float-middle.com/json-web-tokens-jwt-vs-sessions/

[headerB64, payloadB64, signatureB64] = jwt.split('.');

if (atob(signatureB64) === signatureCreatingFunction(headerB64 + '.' + payloadB64) {  
    // good
} else
    // no good
}
like image 554
chen Avatar asked Jun 24 '16 16:06

chen

People also ask

Does JWT prevent man in the middle?

JWTs can be best and secure but it is very secured only if it is used in the right way. Attacks like token stealing, XSS, Middle man attacks are still possible.

What is a JSON Web Token JWT and how does it work?

JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.

Can JWT prevent replay attack?

The JWT spec provides the jti field as a way to prevent replay attacks.

Which part of JWT is the most important in securing it against attack?

The most crucial security claim is the "exp" claim. The issuer uses this claim to indicate the expiration date of a JWT. If this expiration date lies in the past, the JWT has expired and must not be used anymore. A typical example use case is an OpenID Connect identity token, which expires after a set period.

1 Answers

Indeed, they can. You can take steps to prevent this by, say, encapsulating the requester's IP-address in the encrypted data, and by giving the token a relatively short time-to-live. But, the key idea is that the receiving system has only the token, and its encrypted content, to act upon. The server can verify that the token is valid and know that it has not been altered, but, since there are no "sessions," it will not be able to detect a replay attack unless the content of the token enables it to do so. (Therefore, do so!)

like image 82
Mike Robinson Avatar answered Oct 17 '22 03:10

Mike Robinson
Sign in to Comment

Related questions

Reliability of Mimetypes in Uploads (PHP)
How to crack a dBase file password?
How to create a bidirectional encrypted stream on top of an underlying .NET Stream?
OAuth token security
how to secure dll functions from being used outside of my application?
modify per-application access control for private key via command line?
Transmit user password for a rest api
Can a GIF/JPEG file contain runnable PHP code?
Complex Righty System: ACL, RBAC and more what?
How to avoid injection for sorting query by runtime value
Homoglyph attack detection in email phishing
Working against a Secure-Channel with Security-Exit using XMS .NET API
Is AWS, specifically the load balancer service affected by SSL "Heart Bleed" exploit? [closed]
Ruby - unsupported cipher algorithm (AES-256-GCM)
Can we force perl always use three argument form of open when running from command line?
Storing game preferences and saved games in a secure format
Error patching Magento 1.7.1 Hunk #1 Failed at
What makes a string / token cryptographically secure?
Is passing application configuration in stdin a secure alternative to environment variables?
SpringBoot multiple authentication adapter

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!