Scribd
Upload
58 views1 page

JWT Security Cheatsheet

The document provides information about reviewing the header, payload, and signature of a JSON Web Token (JWT) for security issues. It lists things to check such as supported algorithms, injection points, expiry enforcement, replay protection, and sensitive data in the payload.

Uploaded by

Sumita Arora
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views1 page

JWT Security Cheatsheet

The document provides information about reviewing the header, payload, and signature of a JSON Web Token (JWT) for security issues. It lists things to check such as supported algorithms, injection points, expiry enforcement, replay protection, and sensitive data in the payload.

Uploaded by

Sumita Arora
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

JSON Web Token Security Cheat Sheet

Header . Pay l oad . Si gnat ur e


eyJ0eXAiOiJK V1QiLCJh
bGci OiJIUzI1NiJ9
ur l s af e_bas e64* ( { " . . . " } )
. eyJsb2dpbi I6ImFkb
WluIn0
ur l s af e_bas e64* ( { " . . . " } )
. FSfvCBAwypJ4abF6jFLmR7
JgZhkW674 Z8dIdAIRyt1 ...
ur l s af e_bas e64* ( . . . )

* ur l saf e_base64 wi t h no paddi ng: ht t ps: / / t ool s. i et f . or g/ ht ml / r f c7515#appendi x- C

Header review: Payload review: Signature review:


Suppor t f or " None" Chec k f or Check i f t he si gnat ur e
al gor i t hm di s abl ed s ens i t i v e i s enf or ced
No I nj ect i on i n t he i nf or mat i on s t or ed Tr y t o br ut e f or c e
" ki d" el ement i n t he pay l oad t he sec r et k ey
Embedded " j wk " Check f or t i me
Check f or t ok en' s const ant v er i f i cat i on
el ement s ar e not ex pi r y enf or c ed f or HMAC
t r ust ed v i a " ex p" or " i at "
Whi t el i s t of Ensur e t hat key s and
el ement s
al gor i t hms enf or c ed secr et s ar e st or ed
out si de of s our ce
Repl ay pr ot ect i on
vi a " j t i " el ement Check t hat keys and
s ec r et s ar e di f f er ent
bet ween env i r onment s

Pent est er Lab. c om / @Pent est er Lab

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy