Jwt security cheatsheet - Page 1 - PentesterLab

JSON Web To.ken Security Che.at Sheet Header

eyJ0eXAiOiJK V1QiLCJh

. . bGci OiJIUzI1NiJ9

Pay l oad

eyJsb2dpbi I6ImFkb WluIn0

Si gnat ur e

FSfvCBAwypJ4abF6jFLmR7

JgZhkW674 Z8dIdAIRyt1 ...

ur l saf e_base64* ( { " . . . " } )

ur l saf e_base64* ( { " . . . " } )

ur l saf e_base64* ( . . . )

* ur l saf e_base64 wi t h no paddi ng: ht t ps: / / t ool s. i et f . or g/ ht ml / r f c7515#appendi x- C

Header review:

Suppor t f or " None" al gor i t hm di sabl ed

No I nj ect i on i n t he " ki d" el ement

Embedded " j wk " el ement s ar e not t r ust ed

Whi t el i s t of al gor i t hms enf or c ed

Repl ay pr ot ect i on vi a " j t i " el ement

Payload review:

Chec k f or sensi t i ve i nf or mat i on s t or ed i n t he payl oad

Check f or t ok en' s expi r y enf or ced vi a " exp" or " i at " el ement s

Signature review:

Check i f t he si gnat ur e i s enf or ced

Tr y t o br ut e f or c e t he secr et key Check f or t i me const ant ver i f i cat i on f or HMAC

Ensur e t hat key s and secr et s ar e st or ed out si de of sour ce

Check t hat keys and secr et s ar e di f f er ent bet ween env i r onment s

Pent est er Lab. c om / @Pent est er Lab

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download