Due to its popularity, JWT attacks are one of of the most exploited vulnerability by attackers. Each JWT contains base64 encoded JSON objects. By Aamir Ahmed.
A cryptographic algorithm is used to sign JWT tokens to ensure the token’s integrity and protect against JWT attacks. The article further deals with:
- JWT structure
- JWT attacks in the wild
- Change to ‘NONE’
- JWT token expiration
- HMAC algorithm
- Brute-forcing JWT token
- Improper signature verification
- Automate it all
- Directory traversal
- SQL Injection
- JKU header tampering
HMAC and RSA are two most common algorithms used in JWT . HMAC works on the principle of symmetric encryption while RSA used assymetric encryption. To preserve integrity, the secrecy of secret key in HMAC and private key in RSA must be maintained. Good read!
[Read More]