شماره ۱
اگر مسئولیت تامین امنیت اپلیکیشن به شما سپرده شده باشد باید بروز باشید و تهدیدات را جدی بگیرید.
بسیاری از ما از JWT برای Authentication و Authorization در اپلیکیشنهامون استفاده میکنیم. اما آیا واقعا JWT امن هست؟!
این تکنولوژی هم مشکلاتی داره که باید نسبت به رفع اونها اقدام کنید وگرنه مشتریان شما به خطر خواهند افتاد.
مشکل Revocation
این مشکل از اونجا ناشی میشه که JWT روش استانداردی برای منقضی کردن توکن نداره. این تولید کنندگان لایبرری هستن که با روشهایی مثل اضافه کردن زمان انقضا این مشکل رو تا حدی حل کردند. اما اگر کاربر زودتر از زمان انقضای توکن logout کرد چطور؟ توکن هنوز قابل استفاده است! اگر توکن شما از آن توکن های مدیریتی هم باشد که خدا به شما رحم کند. آدمهای بد از همین فرصت های کم استفاده می کنند.
اینکه چطور توکن رو بعد از logout غیر قابل استفاده کنید هم خودش مسئله مهمیه. روش شما باید واقعا امن باشه و همزمان پرفورمنس خوبی داشته باشه.
مشکل Stale data
فرض کنید یک توکن مدیریتی سطح بالا تقدیم کسی کردید اما بعداً سطحش رو پایین آوردن و دسترسی های مدیریتی رو ازش گرفتن. اما این شخص تا زمان انقضای توکن قبلیش هنوز مدیره. (هنوز میتونه با یوزرش لاگین کنه)
ادامه دارد…
#بانک #فینتک #امنیت
#banking #fintech #security #java #springboot
ترجمه:
JWT token security issues
Number 1
If you are entrusted with the responsibility of securing the application, you must be up-to-date and take threats seriously.
Many of us use JWT for Authentication and Authorization in our applications. But is JWT really safe?!
This technology also has problems that you must solve, otherwise your customers will be at risk.
Revocation problem
This problem comes from the fact that JWT does not have a standard way to expire the token. These are the library manufacturers who solved this problem to some extent with methods such as adding an expiration time. But what if the user logs out before the token expires? The token is still usable! If your token is one of those management tokens, may God have mercy on you. Bad people take advantage of these few opportunities.
How to make the token unusable after logout is also an important issue. Your method should be really safe and perform well at the same time.
Stale data problem
Suppose you presented a high-level administrative token to someone, but later lowered its level and took away administrative access. But this person is still a manager until his previous token expires. (He can still login with his user)
continues…
#bank #fintech #security
#banking #fintech #security #java #springboot
Number 1
If you are entrusted with the responsibility of securing the application, you must be up-to-date and take threats seriously.
Many of us use JWT for Authentication and Authorization in our applications. But is JWT really safe?!
This technology also has problems that you must solve, otherwise your customers will be at risk.
Revocation problem
This problem comes from the fact that JWT does not have a standard way to expire the token. These are the library manufacturers who solved this problem to some extent with methods such as adding an expiration time. But what if the user logs out before the token expires? The token is still usable! If your token is one of those management tokens, may God have mercy on you. Bad people take advantage of these few opportunities.
How to make the token unusable after logout is also an important issue. Your method should be really safe and perform well at the same time.
Stale data problem
Suppose you presented a high-level administrative token to someone, but later lowered its level and took away administrative access. But this person is still a manager until his previous token expires. (He can still login with his user)
continues…
#bank #fintech #security
#banking #fintech #security #java #springboot
