Weekly Roundup #13 - known security issue with JWT library

01 March, 2019

Notes taken between: 25-01 February/March 2019


known security issue to be mindful of when choosing a jwt libraries

some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own "signed" tokens with whatever payload they want, allowing arbitrary account access on some systems. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

RSA

creating a public/private key openssl genrsa -out app.rsa 2048 openssl rsa -in app.rsa -pubout

  • alternative to ctrl+c : history | grep <insert search term
  • pprof package. This profiling information is useful to track down memory leaks or deadlocked mutexes.
  • globals should be avoided because if modified all uses of it need updating as well.

bookmarked