2

I am working on security analysis of jwt python libraries. I want to analyze how the libraries work and how they were used in development. Not the source code. Also I have to check the jwt libraries against known attacks like:

  • None algorithm

  • RS256 to HS256 key confusion attack

  • Weak symmetric keys

  • Incorrect composition of encryption and signature

  • Insecure use of elliptical curve attacks

  • Same recipient / cross JWT confusion

How to check against such attacks for a set of python libraries?

Also I have the following questions:

  1. What do you expect to see in a security analysis of jwt python libraries?

  2. How to perform such analysis?

I tried to search for existing code that uses these libraries to analyze it with no luck with that. I also installed burp suite and jwt_tool but still, I can't figure out the approach of such analysis.

I searched for similar analysis from the security field but I can't find anything close to what I am working on.

I have been searching without luck for similar works to be able to understand what I am expected to do and how to do it. I have a good background in network security, but I don't have any background in web applications security.

Alaa
  • 73
  • 7
  • 1
    Burp is an HTTPS Interception Proxy. It's *completely* the wrong tool to analyze a python library. –  Dec 02 '21 at 09:53
  • @MechMK1thanks for your comment, my plan was to look for jwt tokens in the traffic, but the free version of burp suite was not helpful. What tools are there to analyze python libraries?? – Alaa Dec 03 '21 at 10:28

1 Answers1

3

Here is my proposal for your analysis that in general, is valid for other python projects. In general, you need to perform a static analysis and a dynamic analysis of the code. You can google and find a lot of tools that will do the job for you.

You need to analyze your code from two perspectives (this is very python focused, but valid for other projects). Your project has a python layer that basically is your webservice managing the HTTP requests/responses and access to a data layer. Your python code must be analyzed to verify that your code is correct and you don't have any vulnerabilities on it. This is the first step.

On the other hand, the majority of the python libraries that require cryptographic operations delegate this functionality to cryptographic libraries such as openssl, libsodium, etc. You should also analyze them to verify them. This is the second step.

The key, from my point of view, is to carry out static and dynamic analysis of all the code components that you are using. This will reduce the probability of vulnerabilities in your code dramatically. but not 100%.

schroeder
  • 123,438
  • 55
  • 284
  • 319
camp0
  • 2,172
  • 1
  • 10
  • 10
  • Is it possible to perform the analysis without writing a web application to test the jwt authentication libraries? – Alaa Dec 08 '21 at 18:20