Token-Based Authentication vulnerability

We need to pay attention where we store ours tokens!

If we don’t stored properly, we can open security breaches that maybe is an open door for attacks.

There a few things we need to know when we talk about token authentication:

- Its really common to use it in SSO authentication systems;

- Ideal for modern applications, apps and microservices;

- Application won’t have to store and maintain session information server-side.

Here we will focus on JSON Web Tokens

First, we need to understand the structure of this type of authentication token.

Basically, there are three components: a header, a payload and a signature.

— Header: Define which algorithm is going to be used to generate the signature;

{ “alg” : “HS256”, “typ” : “JWT” }

— Payload: This section contains the information of the user identity

{ “user_name” : “admin”, }

— Signature: It’s signed using the header and the payload concatenated, when both of them is base64url-encoded

eyAiYWxnIsKgOiAiSFMyNTYiLCAidHlwIsKgOiAiSldUIiB9.eyAidXNlcl9uYW1lIsKgOiAiYWRtaW4iLCB9

This will produce the JWT signature, that will be sign using HS256 algorithm with the secret key.

This is a secure way to identify a user, but needs to be implemented correctly. So the principle is the user will don’t have access to the secret key to change the payload and sign the token. Only the server can verify that token by checking if the signature is correct.

Commented earlier, if the attacker could change the alg field for “none”, for example, if the application don’t have this verification implemented, it could compromise the security of the token.

{ “alg” : “none”, “typ” : “JWT” } { “user_name” : “admin”, }

If this could be changed, the attacker can authenticate using an admin user of the application, and could to a serious damage. This type of alg Field is common used in development environment, so don’t forget to remove this when the application goes into production.

There are other ways to manipulate the alg Field, for example, if you change from RSA tokens to HMAC. In the RSA, the token is signed using private key, and verified with a public key, if the attacker changes the alg Field to HMAC, he will be able to create valid tokens with the public key, because in the HMAC, the keys to sign and later verified are the same.