RatSec

RatSec Blog

  1. Home
    2. »
  2. Uncategorized
    3. » JWT for Beginners

JWT for Beginners

- Posted in Uncategorized by

JWT for Beginners

1. JWT Overview:

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims between two parties. JWTs are often used for authentication, information exchange, and authorization in web development.

2. JWT Structure:

  • Header (Base64Url encoded JSON):

    • Contains metadata about the type of token (JWT) and the signing algorithm used.
    • Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  • Payload (Base64Url encoded JSON):

    • Contains claims. Claims are statements about an entity (typically, the user) and additional data.
    • Common claims: iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
    • Example: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ

  • Signature:

    • Created by hashing the encoded Header and encoded Payload with a secret key using the specified algorithm.
    • Example: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

  • JWT Example:

    • Concatenated Header, Payload, and Signature: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0...SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

3. Creating a JWT:

  • Choose a signing algorithm (e.g., HMAC SHA-256) and obtain a secret key.
  • Encode Header and Payload into Base64Url format.
  • Concatenate encoded Header, a dot (.), and encoded Payload.
  • Sign the concatenated string using the secret key to create the Signature.
  • Concatenate the previous string with another dot (.) and the Signature to obtain the final JWT.

4. Verifying a JWT:

  • Split JWT into Header, Payload, and Signature.
  • Base64Url decode the Header and Payload.
  • Verify the Signature using the original Header, Payload, and the secret key.
  • Check claims in the Payload for validation.

5. Use Cases:

  • Authentication:

    • After successful login, a server issues a JWT to be sent with subsequent requests.

  • Information Exchange:

    • Secure transmission of information between parties, often used in API communication.

  • Authorization:

    • Include user roles and permissions in the Payload to control access.

6. Security Considerations:

  • Always use HTTPS to prevent interception of JWTs.
  • Safeguard the secret key; never expose it to clients.
  • Be cautious about storing sensitive information in the Payload.

7. Best Practices:

  • Keep JWTs short-lived; leverage expiration (exp) claims.
  • Consider token revocation mechanisms for added security.

Related Posts

SMB Enumeration

SMB enumeration Identify the target IP address or hostname.... more

Top 15 tips to get into...

Getting started in the field of cybersecurity involves a... more

top 10 developer...

As a developer focusing on cybersecurity and coding, your... more