I. Darmawan, Aditya Pratama Abdul Karim, A. Rahmatulloh, R. Gunawan, Dita Pramesti
{"title":"JSON Web Token Penetration Testing on Cookie Storage with CSRF Techniques","authors":"I. Darmawan, Aditya Pratama Abdul Karim, A. Rahmatulloh, R. Gunawan, Dita Pramesti","doi":"10.1109/ICADEIS52521.2021.9701965","DOIUrl":null,"url":null,"abstract":"An authentication process is an act of proving the identity of a user when entering a system. Token-based authentication is a type of authentication that is stateless. This means that when the authentication process is carried out, there is absolutely no information about the user because the use of tokens in every request is made from the client to the server. Java Script Object Notation (JSON) Web Token is an authentication technique that provides an open and secure way to represent claims between two parties, cryptographically signed, which is designed not to be forged. However, this needs to be proven safe and not vulnerable. The purpose of this study is to conduct penetration testing of the security of JSON Web Token (JWT) storage on cookie storage using CSRF techniques. Scenarios for performing the CSRF technique were prepared in the experiment. The system architecture and tools to be used are prepared before the experiment is carried out. The experimental results in this study show that the part of the cookie attribute that embeds the flag “set-httponly: false”, can be accessed by javascript on the client-side (read and write). The CSRF technique that was tried in the research has succeeded in utilizing JWT tokens stored in cookies to send faked requests. Eventually, the victim’s account was used, and the resource was taken over.","PeriodicalId":422702,"journal":{"name":"2021 International Conference Advancement in Data Science, E-learning and Information Systems (ICADEIS)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-10-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 International Conference Advancement in Data Science, E-learning and Information Systems (ICADEIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICADEIS52521.2021.9701965","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
An authentication process is an act of proving the identity of a user when entering a system. Token-based authentication is a type of authentication that is stateless. This means that when the authentication process is carried out, there is absolutely no information about the user because the use of tokens in every request is made from the client to the server. Java Script Object Notation (JSON) Web Token is an authentication technique that provides an open and secure way to represent claims between two parties, cryptographically signed, which is designed not to be forged. However, this needs to be proven safe and not vulnerable. The purpose of this study is to conduct penetration testing of the security of JSON Web Token (JWT) storage on cookie storage using CSRF techniques. Scenarios for performing the CSRF technique were prepared in the experiment. The system architecture and tools to be used are prepared before the experiment is carried out. The experimental results in this study show that the part of the cookie attribute that embeds the flag “set-httponly: false”, can be accessed by javascript on the client-side (read and write). The CSRF technique that was tried in the research has succeeded in utilizing JWT tokens stored in cookies to send faked requests. Eventually, the victim’s account was used, and the resource was taken over.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
