01 March, 2019

TIL #13 - known security issue with JWT library

Notes taken between: 25-01 February/March 2019

known security issue to be mindful of when choosing a jwt libraries

some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own "signed" tokens with whatever payload they want,

allowing arbitrary account access on some systems. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/


creating a public/private key js>openssl genrsa -out app.rsa 2048 js>openssl rsa -in app.rsa -pubout > app.rsa.pub

  • alternative to ctrl+c : js>history | grep <insert search term>

  • pprof package. This profiling information is useful to track down memory leaks or deadlocked mutexes.

  • globals should be avoided because if modified all uses of it need updating as well.