jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon lcobucci

Add withClaim validation for custom claim validation

Open james-bw opened this issue 2 years ago • 4 comments

OWASP has a list of things to improve security in JWT. One of those things regarding token sidejacking is validating custom claims against a random fingerprint. It would be great if this library provided a way to compare custom claims and values and validate the claim exists and the value is correct.

james-bw avatar Mar 30 '22 06:03 james-bw

This is possible by writing custom Constraint implementations?

https://github.com/lcobucci/jwt/blob/40e92badbed677404b93b35610c39d8533899e68/src/Validation/Constraint.php#L1-L12

In addition to that:

One of those things regarding token sidejacking is validating custom claims against a random fingerprint.

This is literally what a cryptographic signature does:

  1. a CSPRNG-based random fingerprint is generated
  2. then hashed/signed with a public key or a secret
  3. the receiving party validates the hash/signature with a public key or a secret

The whole linked chapter seems very weak, in this regard :|

Ocramius avatar Mar 30 '22 10:03 Ocramius

I don't really like that OWASP page, too. It is assuming that tokens are used in a browser context, so that it is possible to add a cookie that has a string, and then make the token contain the hash of the string.

What about not allowing the token to be intercepted in the first place? This whole chapter sounds like it is trying to fix a situation that already went downhill, i.e. there is no reason to believe if an attacker is able to intercept the token, it's impossible to intercept any other cookie as well.

SvenRtbg avatar Mar 30 '22 15:03 SvenRtbg

What about not allowing the token to be intercepted in the first place?

From a security perspective you have to mitigate risks. It's impossible to force clients (e.g. browsers) and server developers to never possibly use HTTP, which will always be exposed to man-in-the-middle attacks.

there is no reason to believe if an attacker is able to intercept the token, it's impossible to intercept any other cookie as well.

True, but it increases the complexity of the JWT defence, and therefore reduces the number of script kiddies who can execute an attack. Additionally, alternate options for fingerprinting (browser local storage, validating against an internal cache/redis lookup) can be used with this PR. I think addition of the validation of a claim is of value to the library whether or not the OWASP example is followed. The OWASP example is, I think, trying to add the concept of CSRF tokens to JWTs, which is a well-known security pattern.

james-bw avatar Apr 01 '22 02:04 james-bw

it increases the complexity of the JWT defence

That honestly sounds a bit like "security by obfuscation". However, I still believe the constraint is useful =)

lcobucci avatar Apr 01 '22 12:04 lcobucci