So you think that JSON Web Tokens (JWT) are pure gold, and they are a better alternative to old good cookies? 🤔

I hear this all the time...

The problem is that JWTs are NOT ANY BETTER than session cookies... they are just applicable in different scenarios (with their pros and cons).

​

Today, let's look at one important risk that comes with using the JWT tokens 👉 Brute-force attack. 💣

​

​

What's the problem here? The cryptographic signature to be generated requires a secret key. In a Web application scenario, this secret key should be known only to confidential server-side code. The problem is that if it's too weak (too short), it may be guessed! Like a regular password. And it may be guessed with powerful cloud infrastructure without any additional calls to the attacked backend. 😱😱😱

Look below at the screenshot from the jwt.io website.

​

​

On the left side, you can see the encoded JWT. It's just simple Base64. On the right side, you can see the Header, Payload, and Signature of this token. The secret key used to sign this token is "secret123", which is not known on the frontend side.

What now? The attacker uses an automated tool to find this secret key in a brute-force fashion, trying every possible character combination. And if the secret key is found, the attacker may generate ANY VALID tokens, actually being able to impersonate any user 💥.

​

The solution?

Actually... there is a simple solution. Use a STRONG secret, so that a brute-force attack would take even hundreds of years on the most powerful infrastructure.

So, what is strong enough? According to Auth0.com: Make sure to pick a shared key as long as the length of the hash. For HS256, that would be a 256-bit key (or 32 bytes) minimum.

​

That's all for this week. ⚡

​

Rate this email:

​GREAT 😃 | OKEY 😐 | BAD 😟

​

Thank you for your time!
Bartosz