January 2019


Vulnerabilities in JWT libraries JSON Web Tokens (JWTs) are commonly used for authorization purposes, since they provide a structured way to describe a token which can be used for access control. However, JWT libraries may contain flaws, and must be used in the correct way. The Capture the Flag event co-organized by Debricked at Lund University included examples of this problem. JWTs are protected with either a digital signature or an HMAC, such that their contents cannot be manipulated. This makes them very useful in distributed or state-less scenarios, where the token may be issued by one entity, and then verified by another. Because of the integrity protection, the verifying party can be sure that the token has not been manipulated since it was issued. A JWT consists of three parts: header, payload, and signature. The header and payload are both JSON objects, while the format of the signature part…