How to secure ASP.NET Core Web API from stolen JWT token for Impersonation
I have a ASP.NET core REST API deployed in a Server behind IIS. REST API is consumed by Angular JS Web application and Mobile(Android/IOS) application. For Authorization I'm using JWT token(). Recently went through Security Audit and they found that JWT stored in Local storage can be stolen and used by other attacker from the same organization for impersonation(For eg, Employee utilizing Manager's features).
I want to tag the person or that machine to that JWT so that when the JWT is stolen the attacker cannot misuse it or will not be any use with that stolen Token. I tried tagging the IP with JWT token and stored those lookup in Server(In memory Cache). Below is the code i tried , which didn't work.
private readonly IHttpContextAccessor _httpContextAccessor;
public TestController(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
var ipAddress = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
I expected output to be different every time i request from different machines. But the actual output is same IP every time like this 15.11.101.25 (though i tried from different machines). Please share with me some better solution if there is any. Excuse my English.
angularjs asp.net-core mobile asp.net-core-webapi asp.net-core-security
asked Jan 2 at 17:05
vinothvsvinothvs
99113
|
show 3 more comments
I have a ASP.NET core REST API deployed in a Server behind IIS. REST API is consumed by Angular JS Web application and Mobile(Android/IOS) application. For Authorization I'm using JWT token(). Recently went through Security Audit and they found that JWT stored in Local storage can be stolen and used by other attacker from the same organization for impersonation(For eg, Employee utilizing Manager's features).
I want to tag the person or that machine to that JWT so that when the JWT is stolen the attacker cannot misuse it or will not be any use with that stolen Token. I tried tagging the IP with JWT token and stored those lookup in Server(In memory Cache). Below is the code i tried , which didn't work.
private readonly IHttpContextAccessor _httpContextAccessor;
public TestController(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
var ipAddress = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
I expected output to be different every time i request from different machines. But the actual output is same IP every time like this 15.11.101.25 (though i tried from different machines). Please share with me some better solution if there is any. Excuse my English.
angularjs asp.net-core mobile asp.net-core-webapi asp.net-core-security
asked Jan 2 at 17:05
vinothvsvinothvs
99113
Well, if you use a proxy or a common internet connection, then its normal that all IPs are same. You should try it from a mobile device (thats not connected via WLAN). Also how is a stolen token related to CSRF? CSRF happens, when an attacker forges a link (or form on a page and lures you to visit it, so a hidden form is sent). With JWT this can't happen, CSRF is only vulnerable to Cookie authentication, because the browser automatically sends the cookie with the request, which doesn't happen with JWT
– Tseng
Jan 2 at 17:11
CSRF can't get the tokens from local storage, that's only possible with XSS (Cross-Site Scripting), when someone manages to inject a piece of JavaScript Code into your website (when you don't properly sanitize your user input). Also the scenario that an employee gets the managers JWT token is unlikely unless a) they have physical access to the managers computer (then you have other, way bigger issues in your company) or b) the user can inject a javascript code into the website and have the manager open it, in which case you have serious trust issues with your employees
– Tseng
Jan 2 at 17:13
@Tseng We can try from Mobile device. But the problem is it should work for Web as well. Sorry for diverting this question towards CSRF. Main problem is I should avoid User B stealing User A's token, so that User B can't impersonate as User A.
– vinothvs
Jan 2 at 17:18
What I meant to say, if all the users of the same company have the Same IP (they share the same public IP via one internet connection), using the IP as discriminator is pointless
– Tseng
Jan 2 at 17:20
@Tseng : I mentioned exactly same thing to our Security experts("that an employee gets the managers JWT token is unlikely unless they have physical access to the managers computer). But they are not ready to listen. So need to find some solution to tag it. They expect this application to behave like traditional session concept. Like every session is different and one cannot steal others session. For the sake of argument still i can argue on hacking the application if the hacker managed to get the Session cookie. But Security team is not ready for any debate.
– vinothvs
Jan 2 at 17:23
|
show 3 more comments
I have a ASP.NET core REST API deployed in a Server behind IIS. REST API is consumed by Angular JS Web application and Mobile(Android/IOS) application. For Authorization I'm using JWT token(). Recently went through Security Audit and they found that JWT stored in Local storage can be stolen and used by other attacker from the same organization for impersonation(For eg, Employee utilizing Manager's features).
I want to tag the person or that machine to that JWT so that when the JWT is stolen the attacker cannot misuse it or will not be any use with that stolen Token. I tried tagging the IP with JWT token and stored those lookup in Server(In memory Cache). Below is the code i tried , which didn't work.
private readonly IHttpContextAccessor _httpContextAccessor;
public TestController(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
var ipAddress = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
I expected output to be different every time i request from different machines. But the actual output is same IP every time like this 15.11.101.25 (though i tried from different machines). Please share with me some better solution if there is any. Excuse my English.
angularjs asp.net-core mobile asp.net-core-webapi asp.net-core-security
asked Jan 2 at 17:05
vinothvsvinothvs
99113
I have a ASP.NET core REST API deployed in a Server behind IIS. REST API is consumed by Angular JS Web application and Mobile(Android/IOS) application. For Authorization I'm using JWT token(). Recently went through Security Audit and they found that JWT stored in Local storage can be stolen and used by other attacker from the same organization for impersonation(For eg, Employee utilizing Manager's features).
I want to tag the person or that machine to that JWT so that when the JWT is stolen the attacker cannot misuse it or will not be any use with that stolen Token. I tried tagging the IP with JWT token and stored those lookup in Server(In memory Cache). Below is the code i tried , which didn't work.
private readonly IHttpContextAccessor _httpContextAccessor;
public TestController(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
var ipAddress = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
I expected output to be different every time i request from different machines. But the actual output is same IP every time like this 15.11.101.25 (though i tried from different machines). Please share with me some better solution if there is any. Excuse my English.
angularjs asp.net-core mobile asp.net-core-webapi asp.net-core-security
angularjs asp.net-core mobile asp.net-core-webapi asp.net-core-security
asked Jan 2 at 17:05
vinothvsvinothvs
99113
asked Jan 2 at 17:05
vinothvsvinothvs
99113
edited Jan 2 at 17:28
vinothvs
asked Jan 2 at 17:05
vinothvsvinothvs
99113
asked Jan 2 at 17:05
vinothvsvinothvs
99113
asked Jan 2 at 17:05
vinothvsvinothvs
99113
99113
Well, if you use a proxy or a common internet connection, then its normal that all IPs are same. You should try it from a mobile device (thats not connected via WLAN). Also how is a stolen token related to CSRF? CSRF happens, when an attacker forges a link (or form on a page and lures you to visit it, so a hidden form is sent). With JWT this can't happen, CSRF is only vulnerable to Cookie authentication, because the browser automatically sends the cookie with the request, which doesn't happen with JWT
– Tseng
Jan 2 at 17:11
CSRF can't get the tokens from local storage, that's only possible with XSS (Cross-Site Scripting), when someone manages to inject a piece of JavaScript Code into your website (when you don't properly sanitize your user input). Also the scenario that an employee gets the managers JWT token is unlikely unless a) they have physical access to the managers computer (then you have other, way bigger issues in your company) or b) the user can inject a javascript code into the website and have the manager open it, in which case you have serious trust issues with your employees
– Tseng
Jan 2 at 17:13
@Tseng We can try from Mobile device. But the problem is it should work for Web as well. Sorry for diverting this question towards CSRF. Main problem is I should avoid User B stealing User A's token, so that User B can't impersonate as User A.
– vinothvs
Jan 2 at 17:18
What I meant to say, if all the users of the same company have the Same IP (they share the same public IP via one internet connection), using the IP as discriminator is pointless
– Tseng
Jan 2 at 17:20
@Tseng : I mentioned exactly same thing to our Security experts("that an employee gets the managers JWT token is unlikely unless they have physical access to the managers computer). But they are not ready to listen. So need to find some solution to tag it. They expect this application to behave like traditional session concept. Like every session is different and one cannot steal others session. For the sake of argument still i can argue on hacking the application if the hacker managed to get the Session cookie. But Security team is not ready for any debate.
– vinothvs
Jan 2 at 17:23
|
show 3 more comments
Well, if you use a proxy or a common internet connection, then its normal that all IPs are same. You should try it from a mobile device (thats not connected via WLAN). Also how is a stolen token related to CSRF? CSRF happens, when an attacker forges a link (or form on a page and lures you to visit it, so a hidden form is sent). With JWT this can't happen, CSRF is only vulnerable to Cookie authentication, because the browser automatically sends the cookie with the request, which doesn't happen with JWT
– Tseng
Jan 2 at 17:11
CSRF can't get the tokens from local storage, that's only possible with XSS (Cross-Site Scripting), when someone manages to inject a piece of JavaScript Code into your website (when you don't properly sanitize your user input). Also the scenario that an employee gets the managers JWT token is unlikely unless a) they have physical access to the managers computer (then you have other, way bigger issues in your company) or b) the user can inject a javascript code into the website and have the manager open it, in which case you have serious trust issues with your employees
– Tseng
Jan 2 at 17:13
@Tseng We can try from Mobile device. But the problem is it should work for Web as well. Sorry for diverting this question towards CSRF. Main problem is I should avoid User B stealing User A's token, so that User B can't impersonate as User A.
– vinothvs
Jan 2 at 17:18
What I meant to say, if all the users of the same company have the Same IP (they share the same public IP via one internet connection), using the IP as discriminator is pointless
– Tseng
Jan 2 at 17:20
@Tseng : I mentioned exactly same thing to our Security experts("that an employee gets the managers JWT token is unlikely unless they have physical access to the managers computer). But they are not ready to listen. So need to find some solution to tag it. They expect this application to behave like traditional session concept. Like every session is different and one cannot steal others session. For the sake of argument still i can argue on hacking the application if the hacker managed to get the Session cookie. But Security team is not ready for any debate.
– vinothvs
Jan 2 at 17:23
Well, if you use a proxy or a common internet connection, then its normal that all IPs are same. You should try it from a mobile device (thats not connected via WLAN). Also how is a stolen token related to CSRF? CSRF happens, when an attacker forges a link (or form on a page and lures you to visit it, so a hidden form is sent). With JWT this can't happen, CSRF is only vulnerable to Cookie authentication, because the browser automatically sends the cookie with the request, which doesn't happen with JWT
– Tseng
Jan 2 at 17:11
Well, if you use a proxy or a common internet connection, then its normal that all IPs are same. You should try it from a mobile device (thats not connected via WLAN). Also how is a stolen token related to CSRF? CSRF happens, when an attacker forges a link (or form on a page and lures you to visit it, so a hidden form is sent). With JWT this can't happen, CSRF is only vulnerable to Cookie authentication, because the browser automatically sends the cookie with the request, which doesn't happen with JWT
– Tseng
Jan 2 at 17:11
CSRF can't get the tokens from local storage, that's only possible with XSS (Cross-Site Scripting), when someone manages to inject a piece of JavaScript Code into your website (when you don't properly sanitize your user input). Also the scenario that an employee gets the managers JWT token is unlikely unless a) they have physical access to the managers computer (then you have other, way bigger issues in your company) or b) the user can inject a javascript code into the website and have the manager open it, in which case you have serious trust issues with your employees
– Tseng
Jan 2 at 17:13
CSRF can't get the tokens from local storage, that's only possible with XSS (Cross-Site Scripting), when someone manages to inject a piece of JavaScript Code into your website (when you don't properly sanitize your user input). Also the scenario that an employee gets the managers JWT token is unlikely unless a) they have physical access to the managers computer (then you have other, way bigger issues in your company) or b) the user can inject a javascript code into the website and have the manager open it, in which case you have serious trust issues with your employees
– Tseng
Jan 2 at 17:13
@Tseng We can try from Mobile device. But the problem is it should work for Web as well. Sorry for diverting this question towards CSRF. Main problem is I should avoid User B stealing User A's token, so that User B can't impersonate as User A.
– vinothvs
Jan 2 at 17:18
@Tseng We can try from Mobile device. But the problem is it should work for Web as well. Sorry for diverting this question towards CSRF. Main problem is I should avoid User B stealing User A's token, so that User B can't impersonate as User A.
– vinothvs
Jan 2 at 17:18
What I meant to say, if all the users of the same company have the Same IP (they share the same public IP via one internet connection), using the IP as discriminator is pointless
– Tseng
Jan 2 at 17:20
What I meant to say, if all the users of the same company have the Same IP (they share the same public IP via one internet connection), using the IP as discriminator is pointless
– Tseng
Jan 2 at 17:20
@Tseng : I mentioned exactly same thing to our Security experts("that an employee gets the managers JWT token is unlikely unless they have physical access to the managers computer). But they are not ready to listen. So need to find some solution to tag it. They expect this application to behave like traditional session concept. Like every session is different and one cannot steal others session. For the sake of argument still i can argue on hacking the application if the hacker managed to get the Session cookie. But Security team is not ready for any debate.
– vinothvs
Jan 2 at 17:23
@Tseng : I mentioned exactly same thing to our Security experts("that an employee gets the managers JWT token is unlikely unless they have physical access to the managers computer). But they are not ready to listen. So need to find some solution to tag it. They expect this application to behave like traditional session concept. Like every session is different and one cannot steal others session. For the sake of argument still i can argue on hacking the application if the hacker managed to get the Session cookie. But Security team is not ready for any debate.
– vinothvs
Jan 2 at 17:23
|
show 3 more comments
1 Answer
1
active
oldest
votes
If you really need that kind of security, you can combine the JWT token with a secure (=cookies only allowed to be sent via https) http-only cookie, and store a kind of request token inside it that sent on each request.
You can have a read on Where to Store your JWTs – Cookies vs HTML5 Web Storage which kind of covers the topic and explain the up- and down-sides of local storage vs cookies for JWT.
Http-only cookies can't be read via JavaScripts (and hence not stolen) and are hence secure against XSS attacks. And CSRF based attacks can't get the JWT token (since its sent via headers).
So XSS based attacks won't have the cookie based token and CSRF based request won't have the JWT token required to authenticate the user. The cookie token could be generated on sign in, so its tied to the user who logs on that machine.
You can of course also turn it around and have the JWT in a secured cooke and the anti request token as header.
Of course you could still steal the anti-forgery cookie with physical access to the machine, but that's neither XSS nor CSRF and can't be protected by the application alone, the machines themselves need to be secured against physical type of attacks.
Alternatively, don't store JWT tokens in the local storage. When you use the OpenID flow, your application will, on the first load, see that its not authorized, will redirect you to the OpenID provider, let the user enter his credentials and redirect them back with the token (or code for the auth code flow).
When the user closes the browser and opens the site again, there's no token anymore, the user will be redirected to the OpenID provider. Since the user is still logged in, no credentials will be asked and he will be redirected back to the page he came from, including a new set of tokens. You just need the store the tokens in memory (and refresh when it expires) for the current application session.
answered Jan 2 at 17:42
TsengTseng
34.8k595126
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54010361%2fhow-to-secure-asp-net-core-web-api-from-stolen-jwt-token-for-impersonation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you really need that kind of security, you can combine the JWT token with a secure (=cookies only allowed to be sent via https) http-only cookie, and store a kind of request token inside it that sent on each request.
You can have a read on Where to Store your JWTs – Cookies vs HTML5 Web Storage which kind of covers the topic and explain the up- and down-sides of local storage vs cookies for JWT.
Http-only cookies can't be read via JavaScripts (and hence not stolen) and are hence secure against XSS attacks. And CSRF based attacks can't get the JWT token (since its sent via headers).
So XSS based attacks won't have the cookie based token and CSRF based request won't have the JWT token required to authenticate the user. The cookie token could be generated on sign in, so its tied to the user who logs on that machine.
You can of course also turn it around and have the JWT in a secured cooke and the anti request token as header.
Of course you could still steal the anti-forgery cookie with physical access to the machine, but that's neither XSS nor CSRF and can't be protected by the application alone, the machines themselves need to be secured against physical type of attacks.
Alternatively, don't store JWT tokens in the local storage. When you use the OpenID flow, your application will, on the first load, see that its not authorized, will redirect you to the OpenID provider, let the user enter his credentials and redirect them back with the token (or code for the auth code flow).
When the user closes the browser and opens the site again, there's no token anymore, the user will be redirected to the OpenID provider. Since the user is still logged in, no credentials will be asked and he will be redirected back to the page he came from, including a new set of tokens. You just need the store the tokens in memory (and refresh when it expires) for the current application session.
answered Jan 2 at 17:42
TsengTseng
34.8k595126
add a comment |
If you really need that kind of security, you can combine the JWT token with a secure (=cookies only allowed to be sent via https) http-only cookie, and store a kind of request token inside it that sent on each request.
You can have a read on Where to Store your JWTs – Cookies vs HTML5 Web Storage which kind of covers the topic and explain the up- and down-sides of local storage vs cookies for JWT.
Http-only cookies can't be read via JavaScripts (and hence not stolen) and are hence secure against XSS attacks. And CSRF based attacks can't get the JWT token (since its sent via headers).
So XSS based attacks won't have the cookie based token and CSRF based request won't have the JWT token required to authenticate the user. The cookie token could be generated on sign in, so its tied to the user who logs on that machine.
You can of course also turn it around and have the JWT in a secured cooke and the anti request token as header.
Of course you could still steal the anti-forgery cookie with physical access to the machine, but that's neither XSS nor CSRF and can't be protected by the application alone, the machines themselves need to be secured against physical type of attacks.
Alternatively, don't store JWT tokens in the local storage. When you use the OpenID flow, your application will, on the first load, see that its not authorized, will redirect you to the OpenID provider, let the user enter his credentials and redirect them back with the token (or code for the auth code flow).
When the user closes the browser and opens the site again, there's no token anymore, the user will be redirected to the OpenID provider. Since the user is still logged in, no credentials will be asked and he will be redirected back to the page he came from, including a new set of tokens. You just need the store the tokens in memory (and refresh when it expires) for the current application session.
answered Jan 2 at 17:42
TsengTseng
34.8k595126
add a comment |
If you really need that kind of security, you can combine the JWT token with a secure (=cookies only allowed to be sent via https) http-only cookie, and store a kind of request token inside it that sent on each request.
You can have a read on Where to Store your JWTs – Cookies vs HTML5 Web Storage which kind of covers the topic and explain the up- and down-sides of local storage vs cookies for JWT.
Http-only cookies can't be read via JavaScripts (and hence not stolen) and are hence secure against XSS attacks. And CSRF based attacks can't get the JWT token (since its sent via headers).
So XSS based attacks won't have the cookie based token and CSRF based request won't have the JWT token required to authenticate the user. The cookie token could be generated on sign in, so its tied to the user who logs on that machine.
You can of course also turn it around and have the JWT in a secured cooke and the anti request token as header.
Of course you could still steal the anti-forgery cookie with physical access to the machine, but that's neither XSS nor CSRF and can't be protected by the application alone, the machines themselves need to be secured against physical type of attacks.
Alternatively, don't store JWT tokens in the local storage. When you use the OpenID flow, your application will, on the first load, see that its not authorized, will redirect you to the OpenID provider, let the user enter his credentials and redirect them back with the token (or code for the auth code flow).
When the user closes the browser and opens the site again, there's no token anymore, the user will be redirected to the OpenID provider. Since the user is still logged in, no credentials will be asked and he will be redirected back to the page he came from, including a new set of tokens. You just need the store the tokens in memory (and refresh when it expires) for the current application session.
answered Jan 2 at 17:42
TsengTseng
34.8k595126
If you really need that kind of security, you can combine the JWT token with a secure (=cookies only allowed to be sent via https) http-only cookie, and store a kind of request token inside it that sent on each request.
You can have a read on Where to Store your JWTs – Cookies vs HTML5 Web Storage which kind of covers the topic and explain the up- and down-sides of local storage vs cookies for JWT.
Http-only cookies can't be read via JavaScripts (and hence not stolen) and are hence secure against XSS attacks. And CSRF based attacks can't get the JWT token (since its sent via headers).
So XSS based attacks won't have the cookie based token and CSRF based request won't have the JWT token required to authenticate the user. The cookie token could be generated on sign in, so its tied to the user who logs on that machine.
You can of course also turn it around and have the JWT in a secured cooke and the anti request token as header.
Of course you could still steal the anti-forgery cookie with physical access to the machine, but that's neither XSS nor CSRF and can't be protected by the application alone, the machines themselves need to be secured against physical type of attacks.
Alternatively, don't store JWT tokens in the local storage. When you use the OpenID flow, your application will, on the first load, see that its not authorized, will redirect you to the OpenID provider, let the user enter his credentials and redirect them back with the token (or code for the auth code flow).
When the user closes the browser and opens the site again, there's no token anymore, the user will be redirected to the OpenID provider. Since the user is still logged in, no credentials will be asked and he will be redirected back to the page he came from, including a new set of tokens. You just need the store the tokens in memory (and refresh when it expires) for the current application session.
answered Jan 2 at 17:42
TsengTseng
34.8k595126
edited Jan 2 at 17:47
answered Jan 2 at 17:42
TsengTseng
34.8k595126
answered Jan 2 at 17:42
TsengTseng
34.8k595126
answered Jan 2 at 17:42
TsengTseng
34.8k595126
34.8k595126
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54010361%2fhow-to-secure-asp-net-core-web-api-from-stolen-jwt-token-for-impersonation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Well, if you use a proxy or a common internet connection, then its normal that all IPs are same. You should try it from a mobile device (thats not connected via WLAN). Also how is a stolen token related to CSRF? CSRF happens, when an attacker forges a link (or form on a page and lures you to visit it, so a hidden form is sent). With JWT this can't happen, CSRF is only vulnerable to Cookie authentication, because the browser automatically sends the cookie with the request, which doesn't happen with JWT
– Tseng
Jan 2 at 17:11
CSRF can't get the tokens from local storage, that's only possible with XSS (Cross-Site Scripting), when someone manages to inject a piece of JavaScript Code into your website (when you don't properly sanitize your user input). Also the scenario that an employee gets the managers JWT token is unlikely unless a) they have physical access to the managers computer (then you have other, way bigger issues in your company) or b) the user can inject a javascript code into the website and have the manager open it, in which case you have serious trust issues with your employees
– Tseng
Jan 2 at 17:13
@Tseng We can try from Mobile device. But the problem is it should work for Web as well. Sorry for diverting this question towards CSRF. Main problem is I should avoid User B stealing User A's token, so that User B can't impersonate as User A.
– vinothvs
Jan 2 at 17:18
What I meant to say, if all the users of the same company have the Same IP (they share the same public IP via one internet connection), using the IP as discriminator is pointless
– Tseng
Jan 2 at 17:20
@Tseng : I mentioned exactly same thing to our Security experts("that an employee gets the managers JWT token is unlikely unless they have physical access to the managers computer). But they are not ready to listen. So need to find some solution to tag it. They expect this application to behave like traditional session concept. Like every session is different and one cannot steal others session. For the sake of argument still i can argue on hacking the application if the hacker managed to get the Session cookie. But Security team is not ready for any debate.
– vinothvs
Jan 2 at 17:23