chore: add pre-commit hooks
chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks
This commit is contained in:
Nanne Baars
Nanne Baars
@ -113,4 +113,4 @@ a.list-group-item.active small {
|
||||
|
||||
.meta a:hover {
|
||||
color: rgba(0, 0, 0, .87);
|
||||
}
|
||||
}
|
||||
|
||||
@ -56,4 +56,3 @@ Instead, use static keys that are securely managed and updated regularly.
|
||||
- **Audit and monitoring**: Regularly audit JWT usage, monitor for suspicious activity, and implement anomaly detection mechanisms.
|
||||
|
||||
- **Security testing**: Regularly perform security testing, including penetration testing and code reviews, to identify and remediate potential vulnerabilities.
|
||||
|
||||
|
||||
@ -3,4 +3,3 @@
|
||||
Below you see two accounts, one of Jerry and one of Tom.
|
||||
Jerry wants to remove Tom's account from Twitter, but his token can only delete his account.
|
||||
Can you try to help him and delete Toms account?
|
||||
|
||||
|
||||
@ -9,4 +9,3 @@ eyJhbGciOiJIUzI1NiJ9.ew0KICAiYXV0aG9yaXRpZXMiIDogWyAiUk9MRV9BRE1JTiIsICJST0xFX1V
|
||||
----
|
||||
|
||||
Copy and paste the following token and decode the token, can you find the user inside the token?
|
||||
|
||||
|
||||
@ -58,4 +58,3 @@ try {
|
||||
----
|
||||
|
||||
Can you spot the weakness?
|
||||
|
||||
|
||||
@ -43,4 +43,4 @@ One of the drawbacks of using this method is that JWT is widely spread for examp
|
||||
|
||||
For more information take a look at the following video:
|
||||
|
||||
video::RijGNytjbOI[youtube, height=480, width=100%]
|
||||
video::RijGNytjbOI[youtube, height=480, width=100%]
|
||||
|
||||
@ -16,4 +16,3 @@ information in the token to identify the user.
|
||||
|
||||
The token contains claims to identify the user and all other information necessary for the server to fulfill the request.
|
||||
Be aware not to store sensitive information in the token and always send it over a secure channel.
|
||||
|
||||
|
||||
@ -6,4 +6,4 @@ Some best practices when working with JWT:
|
||||
- Make sure you use an appropriate key length when using a symmetric key for signing the token.
|
||||
- Make sure the claims added to the token do not contain personal information. If you need to add more information opt for encrypting the token as well.
|
||||
- Add sufficient test cases to your project to verify invalid tokens actually do not work. Integration with a third party to check your token does not mean you do not have test your application at all.
|
||||
- Take a look at the best practices mentioned in https://tools.ietf.org/html/rfc8725#section-2
|
||||
- Take a look at the best practices mentioned in https://tools.ietf.org/html/rfc8725#section-2
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
= JWT Tokens
|
||||
|
||||
== Concept
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson teaches about using JSON Web Tokens (JWT) for authentication and the common pitfalls you need to be aware of
|
||||
when using JWT.
|
||||
@ -34,7 +34,3 @@ the validity and integrity of the token in a secure way, all of this in a statel
|
||||
and portable approach (portable in the way that client and server technologies can
|
||||
be different including also the transport channel even if HTTP is the most often used)
|
||||
-------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -85,4 +85,3 @@ application you are better of using plain old cookies. See for more information:
|
||||
- http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/[stop-using-jwt-for-sessions, window="_blank"]
|
||||
- http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/[stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work, window="_blank"]
|
||||
- http://cryto.net/~joepie91/blog/attachments/jwt-flowchart.png[flowchart, window="_blank"]
|
||||
|
||||
|
||||
@ -9,5 +9,3 @@ found in a private bug bounty program on Bugcrowd, you can read the full write u
|
||||
|
||||
From a breach of last year the following logfile is available link:images/logs.txt[here]
|
||||
Can you find a way to order the books but let *Tom* pay for them?
|
||||
|
||||
|
||||
|
||||
@ -14,7 +14,3 @@ to be aware of before validating the token.
|
||||
== Assignment
|
||||
|
||||
Try to change the token you receive and become an admin user by changing the token and once you are admin reset the votes
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -86,6 +86,3 @@ Now we can replace the token in the cookie and perform the reset again. One thin
|
||||
For more information take a look at the following video:
|
||||
|
||||
video::wt3UixCiPfo[youtube, height=480, width=100%]
|
||||
|
||||
|
||||
|
||||
|
||||
@ -32,4 +32,4 @@ information about how this attack works.
|
||||
The best recommendation is to choose for the cookie based approach. In practise it is easier to defend against a CSRF
|
||||
attack. On the other hand many JavaScript frameworks are protecting the user for a XSS attack by applying the right
|
||||
encoding, this protection comes out of the box. A CSRF protection sometimes is not provided by default and requires work.
|
||||
In the end take a look at what the framework is offering you, but most of the time a XSS attack gives the attacker more leverage.
|
||||
In the end take a look at what the framework is offering you, but most of the time a XSS attack gives the attacker more leverage.
|
||||
|
||||
@ -13,5 +13,3 @@ The token is base64 encoded and consists of three parts:
|
||||
|
||||
Both header and claims consist are represented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT.
|
||||
The claims represent a JSON object whose members are the claims conveyed by the JWT.
|
||||
|
||||
|
||||
|
||||
@ -7,4 +7,3 @@ dictionary attack is not feasible. Once you have a token you can start an offlin
|
||||
=== Assignment
|
||||
|
||||
Given we have the following token try to find out secret key and submit a new key with the username changed to WebGoat.
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ jwt-invalid-token=Not a valid JWT token, please try again
|
||||
jwt-only-admin=Only an admin user can reset the votes
|
||||
jwt-change-token-hint1=Select a different user and look at the token you receive back, use the delete button to reset the votes count
|
||||
jwt-change-token-hint2=Decode the token and look at the contents
|
||||
jwt-change-token-hint3=Change the contents of the token and replace the cookie before sending the request for getting the votes
|
||||
jwt-change-token-hint3=Change the contents of the token and replace the cookie before sending the request for getting the votes
|
||||
jwt-change-token-hint4=Change the admin field to true in the token
|
||||
jwt-change-token-hint5=Submit the token by changing the algorithm to None and remove the signature
|
||||
|
||||
@ -23,7 +23,7 @@ jwt-refresh-hint4=Use the found access token in the Authorization: Bearer header
|
||||
jwt-refresh-not-tom=User is not Tom but {0}, please try again
|
||||
jwt-refresh-alg-none=Nicely found! You solved the assignment with 'alg: none' can you also solve it by using the refresh token?
|
||||
|
||||
jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
|
||||
jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
|
||||
jwt-final-not-tom=Username is not Tom try to pass a token for Tom
|
||||
|
||||
jwt-jku-hint1=Take a look at the token and specifically and the header
|
||||
|
||||
@ -31,6 +31,3 @@ function updateTotal() {
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@ -6,4 +6,3 @@ function follow(user) {
|
||||
$("#toast").append(result);
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
@ -39,4 +39,4 @@ function newToken() {
|
||||
localStorage.setItem('refresh_token', refreshToken);
|
||||
}
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@ -84,4 +84,3 @@ function vote(title) {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -2,4 +2,4 @@ $(document).ready(
|
||||
function(){
|
||||
$("#secrettoken").load('JWT/secret/gettoken');
|
||||
}
|
||||
);
|
||||
);
|
||||
|
||||
@ -17,4 +17,4 @@
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user