0

I am trying to learn JSON Web Tokens (JWT) and did a sample successfully using the article series present in Implement OAuth JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 – Part 3.

I read about JWT and fond that the token can be decoded using JWT debugger present in https://jwt.io/ . The tokens are not encrypted – just encoded.

I have an existing ASP.Net web site which uses forms authentication. I am planning to make some functionality of this as Web API and use JWT for authentication.

Since JWT can be decoded, if some malicious hacker can read the token, they can get authenticated and get access to the resources.

Question 1 How is security of JWT compared to ASP.Net forms authentication? Is it more, less or equal secure over and unsecured network?

Question 2 The article "How to Avoid Session Hijacking in Web Applications" illustrates a method for validating the IP address to which session_id was issued during login, and IP address of all subsequent requests, in the Application_AcquireRequestState event. This will be possible if the session id is stored in the server.

If I store the original IP addess on the JWT token also, is there a way to make sure that the token is not forged (to validate the original IP address and current IP address in each request)?

References:

  1. Cookies vs Tokens. Getting auth right with Angular.JS
  2. Session hijacking attack
  3. What if JWT is stolen?
  4. Stealing JWT from authenticated user
Community
  • 1
  • 1
LCJ
  • 22,196
  • 67
  • 260
  • 418
  • If the server is connected to the Internet it is available to attackers. – zaph Aug 22 '16 at 15:17
  • References: 1. [10 Things You Should Know about Tokens](https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/) 2. [Stealing JWT from authenticated user](https://auth0.com/forum/t/stealing-jwt-from-authenticated-user/352/1) 3. [jwt-decode- github.com](https://github.com/auth0/jwt-decode/issues/4) – LCJ Aug 23 '16 at 00:44
  • [Using JSON Web Tokens as API Keys](https://auth0.com/blog/using-json-web-tokens-as-api-keys/) says > JWTs are digitally signed, so its content cannot be tampered with. – LCJ Aug 24 '16 at 02:46

1 Answers1

1

Content visibility of JWT is not a security issue because content is protected against alteration by a digital signature. But if an attacker gets access to a token, he can impersonate user. So use HTTPS if posible and keep the token in a secure storage

If you want to hide the content. JWT can be used with JWE encryption.

Forms authentication will probably use an opaque token in a cookie to maintain the server session. So if you store the JWT in a cookie marked with HTTPOnly I would say that security level is more or less the same. Note that cookies are vulnerable to CSRF attacks. However storing JWT in localStorage or accesible with javascript will do it vulnerable to XSS attacks.

In any case you need extra security measures, so there is no a magic solution and depends on the context

EDITED Question2 (Avoid session hijacking validating IP address

This technique can be applied in the same to JWT just adding the source IP address to the token. Since the token is signed, you can compare source TCP IP address with token address to validate the token origin.

Note that it is fully possible to send data with a fake sender IP, but replies will go to the fake IP address used by the sender, so they will never reach to the attacker.

But validating client IP has drawbacks, for example in mobile devices IP can change when the user switches from wifi to 4G, then the current token will be rejected

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Could you please clarify whether you are referring to the IP address of the client or the server? The phrase "but replies will go to the fake IP address used" seems confusing. – LCJ Aug 23 '16 at 00:52
  • IP address of the client. The attacker can spoof the IP , but never will get the response – pedrofb Aug 23 '16 at 07:02
  • Thansk for response. But I am not clear why "never will get the response". Can you please explain? – LCJ Aug 23 '16 at 11:55
  • 1
    Suppose an attacker in real IP 1.1.1.1 steals a token issued to 2.2.2.2 by the server at 3.3.3.3. It creates a request with a false IP 2.2.2.2 (*IP address spoofing* https://en.wikipedia.org/wiki/IP_address_spoofing) including the token. **The server will accept the request** because the token is valid and was issued to 2.2.2.2, but the response will be sent to 2.2.2.2, not 1.1.1.1, so never reaches the attacker. This can be used also to denial-of-service attacks. In this post is also explained http://stackoverflow.com/a/5180595/6371459 – pedrofb Aug 23 '16 at 18:37
  • A JWT token can be stolen by a hacker. But if he/she modify the token to include his/her own IP address (1.1.1.1), is there any chance the server will accept it as a valid token? [Assume that the key is available only on the server - and nobody can access it]. – LCJ Aug 23 '16 at 19:15
  • 1
    No, without the private key the hacker can not generate a valid signature for the token and it would be invalid – pedrofb Aug 23 '16 at 19:22