Insights on JWT and OAuth 2.0 Security
Earlier this month, Lene and Joris attended the OWASP Top 10 meetup in Diegem, where some eye-opening discussions took place on web security. One standout session focused on JSON Web Tokens (JWT), a widely used technology to securely transmit information between two parties, typically as a token. JWTs are powerful tools, enabling seamless authentication across services and applications. But, as I learned, even such robust systems carry potential risks.
The talk, led by Louis Nyffenegger, founder of PentesterLab, delved into real-world examples of attackers successfully exploiting vulnerabilities in JWTs. His insights highlighted the importance of staying proactive in identifying and addressing these risks—something we take to heart at nFuse through our focus on continuous improvement and proactivity.
Encryption
Nyffenegger began by explaining the two types of encryption methods used in JWTs: symmetric and asymmetric.
- Symmetric encryption relies on a single shared key to create and verify the JWT.
- Asymmetric encryption involves two keys: a private key to sign the JWT and a public key to verify it. Only the private key holder can create the JWT, but anyone with the public key can validate it.
Though JWTs are designed to be secure, attackers have developed methods to bypass signature verification and tamper with tokens. One notable example is exploiting the signature algorithm, which ensures the token’s integrity. Nyffenegger demonstrated how some systems still allow the “none” algorithm—essentially removing the need for a signature and opening the door to malicious exploitation.
Beyond JWT, Dr Philippe De Ryck, founder of Pragmatic Web Security, spoke about OAuth 2.0, a widely adopted login framework. While often considered reliable, the talk highlighted how common misconfigurations and practices around OAuth 2.0 can make apps vulnerable to attacks. At nFuse, we emphasize transparency with our customers, ensuring that security measures and potential risks are clearly communicated, empowering them to make informed decisions.
One solution that stood out was the Backend-for-Frontend (BFF) pattern, which minimizes risk by keeping sensitive data, like tokens, on a secure backend server rather than in the browser. By isolating these tokens in the backend, attackers have fewer opportunities to intercept them, even if they compromise the front end. This approach ties back to nFuse’s commitment to unburdening our customers by providing reliable solutions to prevent issues before they arise.
I found these talks engaging, with content that sparked my interest. The presentation style was enjoyable, keeping my attention throughout the evening and inspiring me to explore these subjects further, especially since my prior knowledge was limited.
– Lene, Technical Consultant
Wrap-up
Attending these sessions was a valuable reminder that web security is an evolving field—there’s always more we can do to safeguard our systems and data. Our nFuse approach reflects these principles through clear SLAs and a partnership model that protects our customers’ operations. At the same time, we continue to improve our behind-the-scenes processes.