AppSecSchool:
Why JWT Suck?

Enjoy our additional free content from our channel

Why JWT Suck?

JWTs: The Double-Edged Sword of Security Protocols

While JSON Web Tokens (JWTs) have been hailed as the next generation solution to many of the shortcomings of older security protocols like SAML, they are not without their challenges. Let's explore some of the often overlooked complexities associated with JWTs.

A Quick Look Back: SAML

Security Assertion Markup Language (SAML) has been a cornerstone of security protocols. Built using XML, it's notorious for its complexity. Implemented in the early 2000s, it had a vision of flexibility for future scenarios. However, this complexity gave rise to various security issues such as:

  • XXE (XML External Entity)
  • SSRF (Server Side Request Forgery)
  • Multiple ways to tamper with or bypass its signing mechanism.
Enter JWTs

JWTs emerged as the seemingly perfect alternative to the complex world of SAML. They offered:

  1. Simplicity: JSON's compactness makes it more straightforward compared to XML.
  2. No Need for Complex Canonicalization: A significant pain point with XML.
  3. Crypto Agility: JWTs can easily switch between cryptographic algorithms.
The Hidden Challenges of JWTs

While JWTs bring simplicity to the table, they introduce their own set of challenges:

1. 'Crypto Fragility' from 'Crypto Agility'

While it sounds beneficial to switch between algorithms seamlessly, this 'Crypto Agility' can quickly become 'Crypto Fragility'. Poorly chosen algorithms, minor misconfigurations, or weak keys can leave systems vulnerable.

2. Algorithm Confusion Attack

This attack surfaces when developers blindly trust the 'alg' header in a JWT without validation. Malicious actors can alter this header, thereby manipulating the algorithm and tricking the server into accepting a maliciously signed token.

3. The 'Forever-ness' of JWTs

A glaring oversight in many JWT implementations is the lack of enforced expiration. Without specific configurations, a JWT can remain valid indefinitely, posing significant security risks.

4. Expansive Attack Surface

JWTs necessitate a multi-step validation process:

  • Base64-decoding the header, payload, and signature.
  • Parsing the JSON-encoded header.
  • Retrieving the algorithm from the header.
  • Finally, verifying the signature based on the algorithm.

Each step, executed even before verifying the signature, can be a potential attack point.

In Conclusion

JWTs, while promising simplicity and flexibility, aren't without their own set of challenges. When selecting security protocols, it's crucial to consider all factors, not just convenience. Security should be integral to the system's design, not an afterthought.