JWT (JSON Web Token) if someone sniff the token, could send the same Post?

Question

What happend if someone sniff the network and catch my entire request from my REST with the token? This person could send again the same packet and Impact without any problem right? Of course he's not going to know from which user is that packet, but he could impact anyway right? is this possible? How can lead with this situation?

Thanks! Matt.

Answer 1

What happend if someone sniff the network and catch my entire request from my REST with the token?

The JWT is the authentication token, so he could impersonate the user.

This person could send again the same packet and Impact without any problem right?

The same packet or any other because if has the authentication token. It is the same case as if the user had lost your username / password

Of course he's not going to know from which user is that packet, but he could impact anyway right?

Yes, he can know the user, it could know simply decoding the 'sub' field of the token. This field, as defined in RFC , identifies the principal that is the subject of the JWT. The attacker could use your own api to obtain or modify any information to which it has access

is this possible? How can lead with this situation?

Mainly use HTTPS to avoid man-in-the-middle and keep the tokens private. Set also expiration and renew tokens periodically

Answer 2

Of course, the attacker can use the token and get the same access as the victim.

If you want to limit attacker's actions, you need to perform several conditions:

1. Set expire time of the token as small as possible(5 min, 30 min, nor months neither years).
2. Use refresh token to get a new token and update refresh token every time you update old token (and when user is logged in, no doubt)
3. Use https (oh yes!)
4. Do not store passwords, credit card numbers and any confidential informations in the token ( I'm shure, you know it :) )