Timeline for Compromised JSON Web Token (JWT) Bearer Token
Current License: CC BY-SA 3.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 10, 2016 at 20:12 | history | edited | Hari Krishna Ganji | CC BY-SA 3.0 | added 8 characters in body |
| Jul 17, 2015 at 12:08 | comment | added | Hari Krishna Ganji | @DavidV Yeah IP address can be spoofed. But, it can limit the Attack Vector, making it compulsory to have knowledge of the IP address. However IP address is just one way. But you can come up with other information you an embed. Loosing a JWT token is like loosing your house keys. You can send a JWT as a Cookie and mark it HTTPOnly, so that is not easily stolen. Also you can encrypt your entire JWT to keep your IP and other stuff secret and difficult to Spoof. One way to go about would be JWE (tools.ietf.org/html/draft-ietf-jose-json-web-encryption-39) | |
| Jun 24, 2015 at 16:32 | comment | added | David V | Because the IP address can be spoofed, validating the IP address against the JWT will not always be effective. The attacker may not be able to extract information with a GET request. But if the attacker uses a POST or PUT they may be able to modify the server with the un-expired JWT. | |
| Apr 27, 2015 at 16:11 | comment | added | Hari Krishna Ganji | Oh! Thanks for pointing it out. I am now confused. :-) However, taking another look at Question #1 ("token secret which is shared between a client and the server"), make me think again. A Token Secret is never shared with the client. I wonder what the author was actually referring to. | |
| Apr 17, 2015 at 16:35 | comment | added | Dan Esparza | got it. I guess I was just pointing out the OP specifically asked about a "compromised token secret" in question #1. | |
| Apr 16, 2015 at 6:57 | comment | added | Hari Krishna Ganji | I agree, but everything above I have mentioned is with respect to Token itself. It is assumed that a token secret is never compromised and lives inside the server in a secure way. Its a different challenge on its own. | |
| Apr 15, 2015 at 17:41 | comment | added | Dan Esparza | Adding the IP address and even verifying it won't remove the consequences of the compromised token secret. If the token secret is compromised, a 3rd party can sign forged tokens (which would include a forged IP address or expiration date). The token secret is vital. | |
| Jan 27, 2015 at 21:23 | history | edited | Hari Krishna Ganji | CC BY-SA 3.0 | added 23 characters in body |
| Jan 7, 2015 at 13:02 | history | edited | Hari Krishna Ganji | CC BY-SA 3.0 | added 104 characters in body |
| Oct 20, 2014 at 21:27 | history | edited | Hari Krishna Ganji | CC BY-SA 3.0 | added 490 characters in body |
| Oct 20, 2014 at 21:20 | review | First posts | |||
| Oct 20, 2014 at 21:35 | |||||
| Oct 20, 2014 at 21:19 | history | answered | Hari Krishna Ganji | CC BY-SA 3.0 |