Skip to content

JSON Web Token (JWT)

Service Name: JSON Web Token

Service Description: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Service Address: https://jwt.io/

Validation Type: API Auth

IP Allow list: Does not exist at the token level. IP restrictions would need to be implemented at the application or service level that consumes the JWT.

Secret Access Scope: Grants authentication and authorization to protected resources. The scope depends on the claims contained within the JWT and how the receiving application interprets them.

Secret Revokement URL: Does not exist directly. JWTs are typically revoked by: 1. Setting a short expiration time 2. Implementing a token blacklist/database 3. Changing the signing key

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Suspicious Activity Investigation Instructions:

  • Decode the JWT to examine its claims and verify if they match expected values.
  • Check for unusual IP addresses or locations in access logs where the JWT was used.
  • Look for abnormal usage patterns or access to resources not typically accessed.
  • Verify if the JWT was used after its expected expiration time
  • Check for multiple failed authentication attempts before successful JWT usage

Mitigation Instructions:

  • Rotate the JWT signing key/secret immediately
  • Update the JWT signing algorithm to a more secure one if necessary (e.g., from HS256 to RS256)
  • Implement or update token blacklisting to invalidate all currently active tokens
  • Reduce token expiration times to limit the window of vulnerability
  • Add additional claims to tokens such as IP binding or device fingerprinting
  • Implement multi-factor authentication for sensitive operations
  • Review and update JWT validation logic to ensure proper signature verification