JSON Web Token Cheat Sheet for Java

From JWT.IO:

Token Structure

Token structure example token from JWT.IO:

Objective

This cheat sheet provides tips to prevent common security issues when using JSON Web Tokens (JWT) with Java.

Consideration about Using JWT

Even if a JWT token is “easy” to use and allow to expose services (mostly REST-style) in a stateless way, it’s not the solution that fits all applications because it comes with some caveats, like for example the question of the storage of the token (tackled in this cheatsheet) and others…

Issues

None Hashing Algorithm

Symptom

This attack, described here occurs when an attacker alters the token and changes the hashing algorithm to indicate, though, the none keyword, that the integrity of the token has already been verified. As explained in the link above some libraries treated tokens signed with the none algorithm as a valid token with a verified signature, so an attacker can alter the token claims and the token will be trusted by the application.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store