Introduction
JWT authentication and session authentication are ways to authenticate users of your web app.
In this article we will e...
For further actions, you may consider blocking this person and/or reporting abuse
"JWT is protected against tampering" true to a limited extent
scenario 1:
the app gets a token from the server, but a proxy(like burp) intercepts the token then
decodes the payload, alters parameter(s) for example some user id parameter like email for example then passes the token to the app, since the app more than likely does not check the signature( usually verify is on the back-end) the app will now make a state update on altered user data
scenario 2:
their is a bunch of attacks based on the "algo" parameter
strongly advise working on the premise the JWT has been tampered with and coding defensibly against this, for example scenario 1, resend the JWT back to the back-end for verification before app state update
You described MITM attack where malicious proxy can read and modify arbitrary data between client and server. If client sends back to the server jwt token for verification, what prevents proxy from intercepting this request and spoofing the response?
u are correct nothing stops this,hopefully you can see that just trusting that the jwt is valid is an error, basic idea is if you get a jwt that does not verify on the server then this is a red flag that you are under attack and you then implement defensive code, which is better than just hoping everything is ok, as to spoofing the response need correct headers
Hey cool video! I did learn new stuf and it was very interesting!
If you let me give you a bit of feedback, in some parts the contrast of some text wasn't so good, let me show some examples:
Maybe bolder text or more light colors, keep in mind that I watched most of the video in a small size (not full screen). Hope this helps.
But it was a very cool video!
Great content to learn about JWT. I need more content like this. Appreciate it and Thank you providing such a beautiful content.
JWT is one of those subjects I keep having to re-learning every few years since I don’t need to implement it often. When it’s already working you don’t have to worry about it. Overall, great video animation and write-up! It definitely beats reading the standard for getting a quick summary.
Hi,
'4-Verifying the Token'. - does this involve calling the 'auth server'?
Thanks
this is important step that is totally missing in this article.
JWTs are very common (too common?), but have also been harshly criticized by security professionals; see end of:
What are JWT?
Thomas Broyer ・ Nov 29 '23
Very nice article. Do you have it in PDF or eBook ?
for authentication isn't better to use auth0.com or eartho.io?
Nice article, thanks for sharing !