JWTs for CSRF and Microservices

14
JWTs for CSRF and Microservices

Transcript of JWTs for CSRF and Microservices

Page 1: JWTs for CSRF and Microservices

JWTsfor

CSRF and Microservices

Page 2: JWTs for CSRF and Microservices

Welcome! • Agenda

• Stormpath 101 (5 mins)• JWT with CSRF & Microservices (40 mins)• Q&A (15 mins)

• Claire HunsakerVP of Marketing

• Micah SilvermanJava Developer Evangelist

Page 3: JWTs for CSRF and Microservices

Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by default• Clean & elegant API/SDKs• Little to code, no maintenance

Page 4: JWTs for CSRF and Microservices

Stormpath User Management

User Data

User Workflows Google ID

Your ApplicationsApplication SDK

Application SDK

Application SDK

ID Integrations

Facebook

Active Directory

SAML

Page 5: JWTs for CSRF and Microservices

Let’s talk about CSRF!

Page 6: JWTs for CSRF and Microservices

encodeSecret =

"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="

computeHMACSHA256(

header + "." + payload,

base64DecodeToByteArray(encodedSecret)

)

Signature Computation Pseudo-code

Page 7: JWTs for CSRF and Microservices

JWTSecret Anti-Patterns

Page 8: JWTs for CSRF and Microservices

.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

Short but not Sweet

Page 9: JWTs for CSRF and Microservices

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS256,

b64EncodedSecret.getBytes("UTF-8")

)

You’re Doing it Wrong

Page 10: JWTs for CSRF and Microservices

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS512,

TextCodec.BASE64.decode(b64EncodedSecret)

)

Supersize that Secret!

Page 11: JWTs for CSRF and Microservices

"Microservices are awesome, but they're not free."

- Les Hazlewood, Stormpath CTO

Page 12: JWTs for CSRF and Microservices

Monolithic SOA

AuthenticationServiceAuthorizationServiceApplicationService

OrganizationServiceDirectoryServiceAccountServiceGroupService

DatabaseInfrastructure

Page 13: JWTs for CSRF and Microservices

Microservices

DatabaseInfrastructure

GroupServiceAccountService

AuthenticationService AuthorizationService

ApplicationService OrganizationService DirectoryService

Page 14: JWTs for CSRF and Microservices

Resources• Repos used in today’s preso:

○ github.com/jwtk/jjwt○ github.com/stormpath/roadstorm-jwt-csrf-tutorial○ github.com/stormpath/roadstorm-jwt-microservices-

tutorial• JJWT Guest Post on Baeldung - bit.ly/29ZPZAd• Stormpath Microservices Screencast -

bit.ly/29Wi6iw• JWT Inspector - jwtinspector.io• HTTPie - github.com/jkbrzt/httpie• What are Microservices?

○ martinfowler.com/articles/microservices.html• @afitnerd @goStormpath

[email protected]


Common Websites Security Issues - IL Hackilhack.org/...security_issues_Ziv_Perry_FatFish.pdf · SYN flooding XSS CSRF Sql injection. XSS CSRF Sql injection. XSS CSRF Cross Site Scripting

Common Websites Security Issues - IL Hackilhack.org/...security_issues_Ziv_Perry_FatFish.pdf · SYN flooding XSS CSRF Sql injection. XSS CSRF Sql injection. XSS CSRF Cross Site Scripting

Csrf protector

Csrf protector

PHP Security Crash Course - 3 - CSRF

PHP Security Crash Course - 3 - CSRF

WEB SECURITY: XSS & CSRF - University Of Maryland · XSS & CSRF CMSC 414 FEB 22 2018. Cross-Site Request Forgery (CSRF) URLs with side-effects

WEB SECURITY: XSS & CSRF - University Of Maryland · XSS & CSRF CMSC 414 FEB 22 2018. Cross-Site Request Forgery (CSRF) URLs with side-effects

Protect you site from CSRF

Protect you site from CSRF

CSRF e OAuth2

CSRF e OAuth2

CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site

CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site

CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем веб-приложении

CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем веб-приложении

CsFire: Browser-Enforced Mitigation Against CSRF

CsFire: Browser-Enforced Mitigation Against CSRF

REST API Security: OAuth 2.0, JWTs, and More!

REST API Security: OAuth 2.0, JWTs, and More!

The three faces of CSRF - uni-passau.de fileThe three faces of CSRF DeepSec 2007 ... The targets of such requests are not restricted by the SOP ... CSRF (I)

The three faces of CSRF - uni-passau.de fileThe three faces of CSRF DeepSec 2007 ... The targets of such requests are not restricted by the SOP ... CSRF (I)

Dissecting CSRF Attacks & Defenses - Mike Shema - CSRF Lab.pdfDissecting CSRF Attacks & Defenses Mike Shema October 16, 2013. Cross Site Request Forgery Identifying the confused, session-riding

Dissecting CSRF Attacks & Defenses - Mike Shema - CSRF Lab.pdfDissecting CSRF Attacks & Defenses Mike Shema October 16, 2013. Cross Site Request Forgery Identifying the confused, session-riding

Csrf final

Csrf final

Advanced CSRF and Stateless Anti-CSRF - OWASP · Advanced CSRF and Stateless Anti-CSRF. Frontend developer at Svenska Handelsbanken Researcher in application security ... RIA & …

Advanced CSRF and Stateless Anti-CSRF - OWASP · Advanced CSRF and Stateless Anti-CSRF. Frontend developer at Svenska Handelsbanken Researcher in application security ... RIA & …

Présentation CSRF (complète avec démo)

Présentation CSRF (complète avec démo)

CSRF: El Nuevo Target.

CSRF: El Nuevo Target.

OWASP CSRF Protector

OWASP CSRF Protector

JWTs and JOSE in a flash

JWTs and JOSE in a flash

Introduction to CSRF Attacks & Defense

Introduction to CSRF Attacks & Defense

JWTS-10JF Table Saw Manual

JWTS-10JF Table Saw Manual