Summary of Three New Attacks Against JSON Web Tokens
The video discusses attacks against JSON Web Tokens (JWTs) and highlights vulnerabilities in their implementations, explaining the background of JWTs, the problems they solve, and the risks involved in using cryptographic tokens. Earlier vulnerabilities in JWTs are explored, and three new attacks are introduced: sign encrypt confusion, polyglots JWT, and billion hashes attack. These attacks exploit flaws in how JWT libraries handle token validation, emphasizing the need for proper implementation and clear standards in JWT specifications. The importance of vulnerability disclosure and patching vulnerabilities in libraries is stressed, along with the complexities and risks introduced by JWTs compared to traditional tokens. The methodology includes focusing on popular libraries with known vulnerabilities, avoiding unnecessary complexity by using traditional session databases when cryptographic tokens are not needed, enforcing specific algorithms for security, and considering alternative cryptographic tokens with tighter designs. Security over features is prioritized in JWT implementations.