投稿時間:2022-12-04 19:14:21 RSSフィード2022-12-04 19:00 分まとめ(15件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
js	JavaScriptタグが付けられた新着投稿 - Qiita	QwikでTODOアプリを作ってみる（3）	https://qiita.com/ta1m1kam/items/bc1d3d3ab07482c6799b	taskstor	2022-12-04 18:50:29
js	JavaScriptタグが付けられた新着投稿 - Qiita	【Web Componentsを学ぶ】Custom Elements編	https://qiita.com/KokiSakano/items/1ffa65a1adb3f7c11112	customelements	2022-12-04 18:27:03
js	JavaScriptタグが付けられた新着投稿 - Qiita	複数のURLのHTTPステータスコードを取得し結果を書き込む【テスト自動化】	https://qiita.com/kaeru_grocery/items/dc1d78685cd73258b015	googleappscript	2022-12-04 18:02:16
AWS	AWSタグが付けられた新着投稿 - Qiita	S3バッチオペレーション(コピー)とS3バッチレプリケーションを使い分ける	https://qiita.com/thaim/items/9a709ab382a9c3902df9	統廃合	2022-12-04 18:52:29
Docker	dockerタグが付けられた新着投稿 - Qiita	TrueNAS+DockerでRUSTのゲームサーバを構築した	https://qiita.com/gKhdrt_chan/items/56becddb992df646b5b3	qiita	2022-12-04 18:25:42
Docker	dockerタグが付けられた新着投稿 - Qiita	Express + Docker環境構築から、SequelizeインストールとDB接続まで	https://qiita.com/reisuta/items/9a79f8f559184811b6a9	docker	2022-12-04 18:16:42
golang	Goタグが付けられた新着投稿 - Qiita	GoProのGPSデータを抽出・結合・間引き処理する方法．(Linux環境)	https://qiita.com/TTOM/items/b561b499bae03657b706	gogopro	2022-12-04 18:24:44
golang	Goタグが付けられた新着投稿 - Qiita	ISUCON攻略はじめの一歩	https://qiita.com/hide_take/items/b0c7aa4b854a1fa82fab	阿鼻叫喚	2022-12-04 18:02:22
Git	Gitタグが付けられた新着投稿 - Qiita	GoProのGPSデータを抽出・結合・間引き処理する方法．(Linux環境)	https://qiita.com/TTOM/items/b561b499bae03657b706	gogopro	2022-12-04 18:24:44
技術ブログ	Developers.IO	[AWS IoT Core] MQTT v5 で追加されたユーザープロパティを ルール で取得して Lambda で使用してみました	https://dev.classmethod.jp/articles/aws-iot-core-mqtt-v5-get_user_properties/	awsiotcoremqttv	2022-12-04 09:34:04
技術ブログ	Developers.IO	オープンテーブルフォーマットを使ってトランザクションをサポートするデータレイクを構築しよう #ANT328 #reinvent	https://dev.classmethod.jp/articles/reinvent2022-report-ant328/	alakesusingopentableforma	2022-12-04 09:10:58
海外TECH	MakeUseOf	Rent vs. Buy a Home: 5+ Online Guides and Apps to Calculate What's Best for You	https://www.makeuseof.com/rent-vs-buy-online-guides-apps/	guides	2022-12-04 09:30:15
海外TECH	DEV Community	How JWTs Could Be Dangerous and Its Alternatives	https://dev.to/pragativerma18/how-jwts-could-be-dangerous-and-its-alternatives-3k3j	How JWTs Could Be Dangerous and Its Alternatives IntroductionJSON Web Tokens JWTs are the most popularly used tokens for web authentication and managing user sessions in modern day software applications There is loads of information on the benefits or advantages that JWTs bring to the table however very few developers and software architects are familiar with the potential dangers and inefficiencies of using JWT tokens In this article we ll discuss how JWTs can make websites vulnerable to a variety of high security threats and attacks if not managed properly And because JWTs are extensively used in authentication session management and access control techniques these flaws might jeopardize the entire website and its users Before we dive into the details let s have an overview of JWTs and how they almost become a standard for software developers What are JWTs JSON web tokens JWTs are a standardized format for securely transferring cryptographically signed JSON data across systems They can potentially include any type of data but are most typically used to transfer data claims about users as part of authentication session management and access control procedures Unlike traditional session tokens all of the data required by the server is saved on the client side within the JWT As a result JWTs are a common solution for widely distributed websites where consumers must interact seamlessly with numerous back end servers A JWT consists of the following three parts header payload and signature where the header and payload are baseurl encoded JSON objects which can be decoded from the token to reveal information The header includes information about the token i e metadata such as the type of the token which is JWT and the signing algorithm being used such as HMAC SHA or RSA whereas the payload contains the user s real claims There are no constraints on the payload s content although it s crucial to note that a JWT is not encrypted As a result whatever information we put in the token is still viewable by anyone who intercepts it Thus the security of any JWT based mechanism is heavily reliant on the cryptographic signature The signature which is a Message Authentication Code or MAC is the last component of a JWT A JWT signature can only be produced by someone who has both the payload including the header and a provided secret key Because the signature is obtained directly from the remainder of the token altering a single byte of the header or payload results in an incorrect signature It should be impossible to produce the right signature for a given header or payload without knowing the server s secret signing key Each part is separated by a dot in the JWT as shown below eyJhbGciOiJIUzINiIsInRcCIIkpXVCJ eyJzdWIiOiIxMjMNTYODkwIiwibmFtZSIIkpvaGgRGlIiwiaWFIjoxNTEMjMMDIyfQ SflKxwRJSMeKKFQTfwpMeJfPOkyJV adQsswcWhen decoded the information can be revealed as follows Header alg HS typ JWT Payload sub name John Doe iat Signature HMACSHA baseUrlEncode header baseUrlEncode payload your bit secret As we can see the signature is really the key part of the JWT The signature is what allows a fully stateless server to be certain that an HTTP request belongs to a specific user simply by looking at a JWT token present in the request itself rather than forcing the password to be sent each time the request is made For further user actions the server merely validates the signed section obtains user information and allows the user to do the action As a result the DB call is fully avoided But there is one more thing you should know about JWT tokens That is it uses an expiry period to self destruct It is usually set to to minutes And because it is self contained it is difficult to revoke invalidate update This is truly the root of the issue Let s look into this in detail in the next section How JWTs Could be Dangerous Although JWT eliminates the database lookup it brings security concerns and other complexity to the process Security is binaryーit is either secure or not As a result using JWT for user sessions is dangerous The biggest problem with JWTs is that the token will continue to work until it expires and the server has no easy way to revoke it This could be extremely dangerous in situations such as the following Logout doesn t actually log you out of the system The JWT token can continue to live for whatever duration is set apart for its expiration even after you have logged out which means if someone gets access to that token during that time they can continue to access it until it expires Similarly you can t block any user from the system for moderation or whatever reason because they will continue to have access to the server until the token expires Suppose the user was an administrator who was downgraded to an ordinary user with lower privileges Again this will not take effect immediately and the user will remain an administrator until the token expires Because JWTs are frequently not encrypted anyone who can execute a man in the middle attack and sniff the JWT now has access to your authentication credentials This is made easier because the MITM attack only has to be carried out on the server client connection Moreover many libraries that implement JWT have had many security issues Also many real world programs require servers to save the user s IP address and track APIs for rate throttling and IP whitelisting As a result you ll need to employ a lightning fast database anyhow It s unrealistic to believe that using JWT will render your app stateless AlternativesOne typical solution is to keep a database of revoked tokens and verify it for each call If the token is in that revoked list then prevent the user from performing the next operation But now you re making an additional call to the database to see if the token has been revoked which defeats the point of JWT entirely The answer is not to avoid using JWT for session reasons entirely Yet instead do it the old fashioned but time tested way Make the database lookup so quick sub millisecond that the extra call isn t necessary by using solutions such as Redis along with JWT such that we can avail the benefits of JWTs but remove most of the security threats discussed earlier In this scenario if the JWT verification is successful the server will still proceed to Redis and double check the information there However if the JWT verification fails there is no need to search the Redis database Another advantage of this technique is that you may utilize existing JWT libraries on both the front end and back end without developing your own custom way of storing data in Redis ConclusionIn this post we learned what JWTs are and how they are used for authentication JWTs are simply JSON payloads with an easily verifiable and unforgable signature We also discussed the vulnerabilities that improper handling of JWTs can introduce and what are the alternatives to use That s all for this article In case you want to connect with me follow the links below LinkedIn GitHub Twitter	2022-12-04 09:04:18
海外ニュース	Japan Times latest articles	Fuji Soft proxy fight the latest test of Japan Inc. board independence	https://www.japantimes.co.jp/news/2022/12/04/business/corporate-business/japan-board-independence/	Fuji Soft proxy fight the latest test of Japan Inc board independenceGovernance experts say outside directors are only nominally independent if they have close ties to management or fail to give proper oversight	2022-12-04 18:06:41
IT	週刊アスキー	【マクドナルド】昨年好評の「ビーフシチューパイ」が今年も！食事パイなので朝食にもよさげ	https://weekly.ascii.jp/elem/000/004/115/4115972/	食事	2022-12-04 18:10:00