How We Secured Our Url Forwarder with JWT
Wrong password…
typing my credentials again, and same annoying red box “Wrong password”
Now as I’m a good developer with a nice secure password stored in my “password manager”, I open the password manager software and pull out my “may have forgotten” password and type it again…
“Wrong password”
… What is happening??
Well, I won’t bother you with all the details, although this story didn’t happen to me (luckily) it surely happened to many others. This could happen to the more “advanced” users and not only tor moms and paps…
Think about this situation. You get an email/link/post whatever… With the link:
SomeRecognizedWebsite.com/forward/?d=hackme.com
So if you see a big brand company you already know and trust in most cases you won’t worry too much about clicking on their links right?
If you see a link from Google or Facebook you will probably just go with the flow and probably trust the page that will load…
The problem here there are some “smart” hackers that take advantage of companies forward services and create links that will redirect you to their own malicious websites and then could easily pull your passwords out of you just like in the story above.
In the link, you can see a valid known domain “SomeRecognizedWebsite.com” and some text (most people don’t care much about). But this link could forward you to “hackme.com” or whatever domain I could put there…
So why the heck am I telling you about all the above??
This is just the preface to our solution for the above problem where we used JWT tokens to secure our urls and make sure hackers would not use our credibility for their advantage.
So instead of having this URL:
SomeRecognizedWebsite.com/forward/?d=hackme.com
We are using:
SomeRecognizedWebsite.com/forward/?d=xxxxx.BIG_JWT_TOKEN.zzzzz
this JWT token is signed by our backend service and its readable to everyone so we are not hiding anything here but when this JWT token will be read by our backend service it could validate it wasn’t manipulated.
So this is the flow:
- We create a forwarding JWT to “social-site.com” with a key-value =>
- redirectTo = “otherwebsite.com”
- Let’s say the generated token is this “jwt_redirect_token”
- Now we can share our redirect link service “oursite.com/forward/jwt_redirect_token“
- Someone clicks on our link
- Our service takes the token “jwt_redirect_token” and validates that it was signed by us.
- We parse the token and extract the value for “redirectTo”
- Now we simply redirect the user to the extracted value from “redirectTo”
Now you can see our “URL forwarder” is safe and people can’t take advantage of our site credibility.
Some notes that can help:
- You can add much more data than just a destination URL. You can add source, campaign, or any other relevant data that can benefit the business needs.
- On the other hand… don’t get too crazy as there are some limitations to URL length (I think 1024. Google it)
- If you need to have a lot of data connected to those URLs, you can always set an ID in the URL and store all of that data in a key-value storage that you could fetch when the URL is triggered.
Implementation:
I would be happy to share some code but JWT libraries are quite easy to use and it is supported in a HUGE range of languages. For more info on JWT and libraries go to jwt.io.
If you want me to share some examples just comment below.
I would be happy to hear any other use cases you have used JWT