0

We are using OpenIDConnect in our application for authentication and authorization. The generated ID token is in JWT format and is stored in a cookie in httpOnly mode.

We have a Penetration Testing finding where they extracted the SESSIONID field. Its value was the JWT. As with all JWT implementation, it is encoded in base64 and can easily be decoded. Hence, the values in the payload section were seen. They told us this is a security issue.

My questions are:

  1. The Pentest finding got me confused since Base64 encoding is a standard of JWT and we are already using HTTPS in our connections. So, I do not understand how the value in the payload can be exposed to others?

  2. I have also read that its possible that JWT can be encrypted (JWE - JSON Web Encryption), if this is the case and base64 encoding is a weak encoding and a vulnerability, why don't we encrypt all JWTs instead?

The issue is not about susceptibility to tampering. Its about contents of the payload being exposed (as per the penetration testers). My question is if its in a cookie with httponly, how can this still be a vulnerability?

lecarpetron dookmarion
  • 519
  • 2
  • 7
  • 18
  • Does this answer your question? [If you can decode JWT, how are they secure?](https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure) – jps Jan 21 '21 at 07:39
  • *and base64 encoding is a weak encoding* - it's not a *weak* encoding, it's just encoding and not meant to hide anything. You can decode your payload on https://jwt.io or with any Base64 decoder. – jps Jan 21 '21 at 07:46
  • @jps the finding is not about susceptibility to tampering, its more on the payload contents are exposed. – lecarpetron dookmarion Jan 21 '21 at 09:18

0 Answers0