Scribd
Upload
124 views1 page

JWT Security Cheatsheet

The document provides information about reviewing the header, payload, and signature of a JSON Web Token (JWT) for security issues. It lists things to check such as supported algorithms, injection points, expiry enforcement, replay protection, and sensitive data in the payload.

Uploaded by

Sumita Arora
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
124 views1 page

JWT Security Cheatsheet

The document provides information about reviewing the header, payload, and signature of a JSON Web Token (JWT) for security issues. It lists things to check such as supported algorithms, injection points, expiry enforcement, replay protection, and sensitive data in the payload.

Uploaded by

Sumita Arora
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

JSON Web Token Security Cheat Sheet

Header . Pay l oad . Si gnat ur e


eyJ0eXAiOiJK V1QiLCJh
bGci OiJIUzI1NiJ9
ur l s af e_bas e64* ( { " . . . " } )
. eyJsb2dpbi I6ImFkb
WluIn0
ur l s af e_bas e64* ( { " . . . " } )
. FSfvCBAwypJ4abF6jFLmR7
JgZhkW674 Z8dIdAIRyt1 ...
ur l s af e_bas e64* ( . . . )

* ur l saf e_base64 wi t h no paddi ng: ht t ps: / / t ool s. i et f . or g/ ht ml / r f c7515#appendi x- C

Header review: Payload review: Signature review:


Suppor t f or " None" Chec k f or Check i f t he si gnat ur e
al gor i t hm di s abl ed s ens i t i v e i s enf or ced
No I nj ect i on i n t he i nf or mat i on s t or ed Tr y t o br ut e f or c e
" ki d" el ement i n t he pay l oad t he sec r et k ey
Embedded " j wk " Check f or t i me
Check f or t ok en' s const ant v er i f i cat i on
el ement s ar e not ex pi r y enf or c ed f or HMAC
t r ust ed v i a " ex p" or " i at "
Whi t el i s t of Ensur e t hat key s and
el ement s
al gor i t hms enf or c ed secr et s ar e st or ed
out si de of s our ce
Repl ay pr ot ect i on
vi a " j t i " el ement Check t hat keys and
s ec r et s ar e di f f er ent
bet ween env i r onment s

Pent est er Lab. c om / @Pent est er Lab

You might also like