Challenge Overview
Challenge Overview
-
Analyze the attack vectors of JWT vs POP JWT
Project background
We are using JWT over standard TLS, and we are now in transition to POP JWT. So we want a report to see if this transition is worthy.
Technology Stack
-
POP JWT: https://tools.ietf.org/html/rfc7800 and https://community.apigee.com/questions/69744/jwt-vs-pop-jwt.html
-
Angular 8 - used to build the front-end
-
Node.js - used to build the back-end
Individual Requirements
We expect a security comparison report between JWT and POP JWT
-
We always use them over standard TLS
-
You need to list all possible scenarios that JWT is insecure while POP JWT is secure
-
You need to list all possible scenarios while POP JWT is insecure while JWT is secure - it looks impossible, just listed in case you can find any scenario
-
You need to list all possible scenarios that both JWT and POP JWT are insecure
-
You can refer to the OWASP top 10 vulnerability as a starting point: https://www.ibm.com/developerworks/library/se-owasptop10/index.html
And we intend to use the POP JWT as below:
-
The browser will generate a pair of private and public keys
-
The browser sends the public key to the authorization server (issuer) to generate the POP JWT, which contains the public key as well as some other info.
-
Then for any request from the browser to server (recipient), the browser will send two tokens:
-
POP JWT
-
nonce token - which is generated from the private key and the request data
-
-
When the server receives the request, it will first decode the POP JWT to extract the public key, and then use it to decrypt the nonce token to validate the request data integrity.
Winner Selection
-
There will be no appeal phase, and winner selection is purely up to the client.
Final Submission Guidelines
Submission Deliverable
-
Word document explaining the attack vectors of the JWT vs POP JWT. And any other documents that help to make it clear.