What is Cybersecurity? (An anecdote about a JSON Web Token.)
"Is a web app secure just because I use a JWT?"
That is a question I had when I first learned about them.
Learning is important.
I was impressed with how well designed were JWT, OIDC, SAML, and modern Identity Provider (IdP) solutions. The quality of the design I read about in the Request for Comments (RFCs) was impressive. Yet even after reading the RFCs and watching tutorials, something was still nagging at me.
Test assumptions and concerns.
One day I decided to log into one web application and copied the JWT using the Chrome developer tools.
I went to another web application and opened the Chrome developer tools. I added the other site's JWT token and refreshed the page.
A surprise outcome.
I logged in!
I had an active login, but there were multiple errors and missing data within the different views.
After some investigation, I realized the APIs validated the JWTs, but the web application client did not.
What is cybersecurity?
Even well-designed solutions and technologies require secure implementation.
When something is nagging at us, or we suspect a potential flaw, we should take the time to investigate and test it.
Before You Go
Join my mailing list to receive updates about my writing.
About the Author
Miguel is a Principal Security Engineer and is the author of the " Serverless Security " book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.
Originally published on Patreon