AAU Student Projects - visit Aalborg University's student projects portal
A master's thesis from Aalborg University
Book cover


Security analysis of JSON web tokens- Attack scenarios and countermeasures

Author

Term

4. semester

Education

Cyber Security, Master

Publication year

2024

Submitted on

Abstract

JSON Web Tokens (JWT) bruges bredt i moderne websystemer til autentifikation, autorisation og informationsudveksling. Denne afhandling gennemfører en systematisk sikkerhedsanalyse af JWT i forskellige dataflows og protokoller, herunder deres roller i OAuth 2.0, DPoP‑JWT, mutual TLS (mTLS), OpenID Connect, Selective Disclosure (SD‑JWT) og som alternativ til sessionstokens. Analysen relaterer JWT’s signering og kryptering til sikkerhedsmålene fortrolighed, integritet, autenticitet og ikke‑afvisning og samler angrebsscenarier, der undergraver disse mål, sammen med modforanstaltninger. Den gennemgår ligheder og forskelle på tværs af flows, diskuterer betydningen af transportsikkerhed (TLS) og stærkere klientbinding og opsummerer anbefalinger for best practice. Arbejdet inkluderer også praktiske demonstrationer af sårbarheder som brute‑force mod svage delte hemmeligheder og udnyttelse af “none”-algoritmen for at illustrere risici ved dårlig konfiguration. Den endelige konklusion fremgår ikke af uddraget, men rapporten giver en samlet vurdering og vejledning.

JSON Web Tokens (JWT) are widely used in modern web systems for authentication, authorization, and information exchange. This thesis undertakes a systematic security analysis of JWT across different data flows and protocols, including their roles in OAuth 2.0, DPoP‑JWT, mutual TLS (mTLS), OpenID Connect, Selective Disclosure (SD‑JWT), and as an alternative to session tokens. The study relates JWT signing and encryption to security objectives—confidentiality, integrity, authenticity, and non‑repudiation—and compiles attack scenarios that undermine these objectives with associated countermeasures. It reviews similarities and differences across flows, discusses the impact of transport security (TLS) and stronger client binding, and summarizes best‑practice recommendations. The work also includes practical demonstrations of vulnerabilities, such as brute‑forcing weak shared secrets and exploiting the “none” algorithm, to illustrate risks from poor configuration. Final empirical findings are not present in the excerpt, but the report provides an overall assessment and guidance.

[This summary has been generated with the help of AI directly from the project (PDF)]

Documents

Download
View record in AAU Student Projects