TzookB

How We Secured Our Url Forwarder with JWT

Thu Dec 06 2018

Wrong password

typing my credentials again, and same annoying red box Wrong password

Now as Im a good developer with a nice secure password stored in my password manager, I open the password manager software and pull out my may have forgotten password and type it again

Wrong password

What is happening??

Well, I wont bother you with all the details, although this story didnt happen to me (luckily) it surely happened to many others. This could happen to the more advanced users and not only tor moms and paps

Think about this situation. You get an email/link/post whatever With the link:

SomeRecognizedWebsite.com/forward/?d=hackme.com

So if you see a big brand company you already know and trust in most cases you wont worry too much about clicking on their links right?

If you see a link from Google or Facebook you will probably just go with the flow and probably trust the page that will load

The problem here there are some smart hackers that take advantage of companies forward services and create links that will redirect you to their own malicious websites and then could easily pull your passwords out of you just like in the story above.

In the link, you can see a valid known domain SomeRecognizedWebsite.com and some text (most people dont care much about). But this link could forward you to hackme.com or whatever domain I could put there

So why the heck am I telling you about all the above??

This is just the preface to our solution for the above problem where we used JWT tokens to secure our urls and make sure hackers would not use our credibility for their advantage.

So instead of having this URL:

SomeRecognizedWebsite.com/forward/?d=hackme.com

We are using:

SomeRecognizedWebsite.com/forward/?d=xxxxx.BIG_JWT_TOKEN.zzzzz

this JWT token is signed by our backend service and its readable to everyone so we are not hiding anything here but when this JWT token will be read by our backend service it could validate it wasnt manipulated.

So this is the flow:

  • We create a forwarding JWT to social-site.com with a key-value =>
    • redirectTo = otherwebsite.com
  • Lets say the generated token is this jwt_redirect_token
  • Now we can share our redirect link service oursite.com/forward/jwt_redirect_token
  • Someone clicks on our link
  • Our service takes the token jwt_redirect_token  and validates that it was signed by us.
  • We parse the token and extract the value for redirectTo
  • Now we simply redirect the user to the extracted value from redirectTo

Now you can see our URL forwarder is safe and people cant take advantage of our site credibility.

Some notes that can help:

  • You can add much more data than just a destination URL. You can add source, campaign, or any other relevant data that can benefit the business needs.
  • On the other hand dont get too crazy as there are some limitations to URL length (I think 1024. Google it)
  • If you need to have a lot of data connected to those URLs, you can always set an ID in the URL and store all of that data in a key-value storage that you could fetch when the URL is triggered.

Implementation:

I would be happy to share some code but JWT libraries are quite easy to use and it is supported in a HUGE range of languages. For more info on JWT and libraries go to jwt.io.

If you want me to share some examples just comment below.

I would be happy to hear any other use cases you have used JWT