01 March, 2019
TIL #13 - known security issue with JWT library
Notes taken between: 25-01 February/March 2019
known security issue to be mindful of when choosing a jwt libraries
some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own "signed" tokens with whatever payload they want,
allowing arbitrary account access on some systems. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
RSA
creating a public/private key
js>openssl genrsa -out app.rsa 2048
js>openssl rsa -in app.rsa -pubout > app.rsa.pub
-
alternative to ctrl+c :
js>history | grep <insert search term> -
pprof package. This profiling information is useful to track down memory leaks or deadlocked mutexes.
-
globals should be avoided because if modified all uses of it need updating as well.