INFORMATION SECURITY ANALYSIS AND AUDIT

PROJECT

FALL SEMESTER 2020

COURSE CODE: CSE3501
FACULTY: PROF. LAVANYA K
SLOT: G2

TEAM MEMBERS
Aditya Ruhatiya (18BCE0582)
Aditya Agrawal (18BCE0586)

TITLE
Secured Form Authentication and Securing Routes with Cookies
INTRODUCTION OF THE PROJECT

Token Based Authentication

A token is a piece of data that has no meaning or use on its own, but combined with the
correct tokenization system, becomes a vital player in securing your application. Token
based authentication works by ensuring that each request to a server is accompanied
by a signed token which the server verifies for authenticity and only then responds to
the request.

JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and
self-contained way for securely transmitting information between parties as a JSON
object. This information can be verified and trusted because it is digitally signed. JWTs
can be signed using a secret (with the HMAC algorithm) or a public/private key pair
using RSA or ECDSA.
Although JWTs can be encrypted to also provide secrecy between parties, we will focus
on signed tokens. Signed tokens can verify the integrity of the claims contained within it,
while encrypted tokens hide those claims from other parties. When tokens are signed
using public/private key pairs, the signature also certifies that only the party holding the
private key is the one that signed it.

When to use JSON Web Token

Here are some scenarios where JSON Web Tokens are useful:
• Authorization: This is the most common scenario for using JWT. Once the user is
logged in, each subsequent request will include the JWT, allowing the user to
access routes, services, and resources that are permitted with that token. Single
Sign On is a feature that widely uses JWT nowadays, because of its small overhead
and its ability to be easily used across different domains.

• Information Exchange: JSON Web Tokens are a good way of securely transmitting
information between parties. Because JWTs can be signed—for example, using
public/private key pairs—you can be sure the senders are who they say they are.
Additionally, as the signature is calculated using the header and the payload, you
can also verify that the content hasn't been tampered with.
JSON Web Token structure
In its compact form, JSON Web Tokens consist of three parts separated by dots (.),
which are:
• Header
• Payload
• Signature
Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Let's break down the different parts.

Header
The header typically consists of two parts: the type of the token, which is JWT, and the
signing algorithm being used, such as HMAC SHA256 or RSA.
For example:

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload
The second part of the token is the payload, which contains the claims. Claims are
statements about an entity (typically, the user) and additional data. There are three
types of claims: registered, public, and private claims.

• Registered claims: These are a set of predefined claims which are not mandatory
but recommended, to provide a set of useful, interoperable claims. Some of them
are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.

• Public claims: These can be defined at will by those using JWTs. But to avoid
collisions they should be defined in the IANA JSON Web Token Registry or be
defined as a URI that contains a collision resistant namespace.
• Private claims: These are the custom claims created to share information between
parties that agree on using them and are neither registered or public claims.

An example payload could be:

The payload is then Base64Url encoded to form the second part of the JSON Web
Token.

Signature
To create the signature part you have to take the encoded header, the encoded
payload, a secret, the algorithm specified in the header, and sign that.
For example if you want to use the HMAC SHA256 algorithm, the signature will be
created in the following way:

The signature is used to verify the message wasn't changed along the way, and, in the
case of tokens signed with a private key, it can also verify that the sender of the JWT is
who it says it is.

Putting all together

The output is three Base64-URL strings separated by dots that can be easily passed in
HTML and HTTP environments, while being more compact when compared to XML-
based standards such as SAML.
The following shows a JWT that has the previous header and payload encoded, and it is
signed with a secret.
If you want to play with JWT and put these concepts into practice, you can use jwt.io
Debugger to decode, verify, and generate JWTs.
JSON Web Tokens working
In authentication, when the user successfully logs in using their credentials, a JSON
Web Token will be returned. Since tokens are credentials, great care must be taken to
prevent security issues. In general, you should not keep tokens longer than required.
You also should not store sensitive session data in browser storage due to lack of
security.
Whenever the user wants to access a protected route or resource, the user agent
should send the JWT, typically in the Authorization header using the Bearer schema.
The content of the header should look like the following:

This can be, in certain cases, a stateless authorization mechanism. The server's
protected routes will check for a valid JWT in the Authorization header, and if it's
present, the user will be allowed to access protected resources. If the JWT contains the
necessary data, the need to query the database for certain operations may be reduced,
though this may not always be the case.
If the token is sent in the Authorization header, Cross-Origin Resource Sharing (CORS)
won't be an issue as it doesn't use cookies.
The following diagram shows how a JWT is obtained and used to access APIs or
resources:

1. The application or client requests authorization to the authorization server. This is

performed through one of the different authorization flows. For example, a typical
OpenID Connect compliant web application will go through the /oauth/authorize
endpoint using the authorization code flow.
2. When the authorization is granted, the authorization server returns an access token
to the application.
3. The application uses the access token to access a protected resource (like an API).

Do note that with signed tokens, all the information contained within the token is
exposed to users or other parties, even though they are unable to change it. This
means you should not put secret information within the token.

JSON Web Tokens Benefits

Let's talk about the benefits of JSON Web Tokens (JWT) when compared to Simple
Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML).
As JSON is less verbose than XML, when it is encoded its size is also smaller, making
JWT more compact than SAML. This makes JWT a good choice to be passed in HTML
and HTTP environments.
Security-wise, SWT can only be symmetrically signed by a shared secret using the
HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in
the form of a X.509 certificate for signing. Signing XML with XML Digital Signature
without introducing obscure security holes is very difficult when compared to the
simplicity of signing JSON.
JSON parsers are common in most programming languages because they map directly
to objects. Conversely, XML doesn't have a natural document-to-object mapping. This
makes it easier to work with JWT than SAML assertions.
Regarding usage, JWT is used at Internet scale. This highlights the ease of client-side
processing of the JSON Web token on multiple platforms, especially mobile.
Brief working of the project
INTRODUCTION ABOUT TOOLS
1. Visual Studio Code
2. Node.js
3. MongoDB Atlas

Visual Studio Code

Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux
and macOS. Features include support for debugging, syntax highlighting, intelligent code
completion, snippets, code refactoring, and embedded Git. Users can change the theme,
keyboard shortcuts, preferences, and install extensions that add additional functionality.
Visual Studio Code is a source-code editor that can be used with a variety of programming
languages, including Java, JavaScript, Go, Node.js and C++. It is based on the Electron
framework, which is used to develop Node.js Web applications that run on the Blink layout
engine. Visual Studio Code employs the same editor component (codenamed "Monaco")
used in Azure DevOps (formerly called Visual Studio Online and Visual Studio Team
Services).
Instead of a project system, it allows users to open one or more directories, which can
then be saved in workspaces for future reuse. This allows it to operate as a language-
agnostic code editor for any language. It supports a number of programming languages
and a set of features that differs per language. Unwanted files and folders can be
excluded from the project tree via the settings. Many Visual Studio Code features are not
exposed through menus or the user interface, but can be accessed via the command
palette.
Visual Studio Code can be extended via extensions, available through a central
repository. This includes additions to the editor and language support. A notable feature
is the ability to create extensions that add support for new languages, themes, and
debuggers, perform static code analysis, and add code linters using the Language Server
Protocol.
Visual Studio Code includes multiple extensions for FTP, allowing the software to be used
as a free alternative for web development. Code can be synced between the editor and
the server, without downloading any extra software. Visual Studio Code allows users to
set the code page in which the active document is saved, the newline character, and the
programming language of the active document. This allows it to be used on any platform,
in any locale, and for any given programming language.
Visual Studio Code is a code editor at its core. Like many other code editors, VS Code
adopts a standard user interface and layout of an explorer on the left, showing all of the
files and folders you have access to. Additionally, it has an editor on the right, showing
the content of the files you have opened. Below are a few of the most critical components
the VSCode editor:

VS Code comes with a straight-forward and intuitive layout that maximizes the space
provided for the editor while leaving ample room to browse. Additionally, it allows
access to the full context of your folder or project. The UI is divided into five areas, as
highlighted in the above image.

Editor – It is the main area to edit your files. You can open as many editors as possible
side by side vertically and horizontally.
SideBar – Contains different views like the Explorer to assist you while working on your
project.
Status Bar – It contains the information about the opened project and the files you edit.
Activity Bar – It is located on the far left-hand side. It lets you switch between views and
gives you additional context-specific indicators, like the number of outgoing changes
when Git is enabled.
Panels – It displays different panels below the editor region for output or debug
information, errors, and warnings, or an integrated terminal. Additionally, the panel can
also move to the right for more vertical space.
VS Code opens up in the same state it was last in, every time you start it. It also
preserves folder, layout, and opened files.
Visual Studio Code supports the maximum of the modern programming languages. It
provides various features that can be language-specific but are available in almost all
the supported programming languages. Few of them are:
• Syntax highlighting and bracket matching: Syntax highlighting determines the
color and style of source code displayed in the Visual Studio Code editor.
Moreover, it is responsible for colorizing keywords like if or for in JavaScript
differently than strings and comments and variable names.
• Smart completion (IntelliSense): IntelliSense is a general term for a variety of
code editing features, including code completion, parameter info, quick info,
and member lists. Other names of IntelliSense features are “code completion,”
“content assist,” and “code hinting.” The below gif file shows a sample of the
feature:

• Linting and corrections: Linters provides warnings for suspicious-looking code.

While VS Code does not include a built-in linter, many
linter extensions available in the marketplace.
• Code navigation (Go to Definition, Find All References): Code navigation lets
you quickly navigate JavaScript projects.
• Go To Definition F12 – It asks you to Go to the source code of a
symbol definition.
• Peek Definition ⌥F12 – Bring up a Peek window that shows the
definition of a symbol.
• Go to References ⇧F12 – Show all references to a symbol.
• Go to Type Definition unassigned – Go to the type that defines a
symbol. In other words, for an instance of a class, this will reveal the
class itself instead of where the instance is defined.
• Debugging: VS Code comes with great debugging support. Additionally, you
can set breakpoints, inspect objects, navigate the call stack, and execute code
in the Debug Console.
 • Refactoring: VS Code includes some handy refactorings such as Extract
function and Extract constant. Just select the source code you’d like to extract
and then click on the lightbulb in the gutter or press (⌘.) to see available
refactorings. Available refactorings include:

• Extract to method or function.

• Extract to constant.
• Convert between named imports and namespace imports.
• Move to a new file.

Node.js
Node.js is a server-side platform built on Google Chrome's JavaScript Engine (V8
Engine). Node.js was developed by Ryan Dahl in 2009 and its latest version is v0.10.36.
The definition of Node.js as supplied by its official documentation is as follows −
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast and
scalable network applications. Node.js uses an event-driven, non-blocking I/O model
that makes it lightweight and efficient, perfect for data-intensive real-time applications
that run across distributed devices.
Node.js is an open source, cross-platform runtime environment for developing server-
side and networking applications. Node.js applications are written in JavaScript, and
can be run within the Node.js runtime on OS X, Microsoft Windows, and Linux.
Node.js also provides a rich library of various JavaScript modules which simplifies the
development of web applications using Node.js to a great extent.
Node.js = Runtime Environment + JavaScript Library
Features of Node.js
Following are some of the important features that make Node.js the first choice of
software architects.
• Asynchronous and Event Driven − All APIs of Node.js library are asynchronous,
that is, non-blocking. It essentially means a Node.js based server never waits for
an API to return data. The server moves to the next API after calling it and a
notification mechanism of Events of Node.js helps the server to get a response
from the previous API call.
 • Very Fast − Being built on Google Chrome's V8 JavaScript Engine, Node.js library
is very fast in code execution.
• Single Threaded but Highly Scalable − Node.js uses a single threaded model with
event looping. Event mechanism helps the server to respond in a non-blocking
way and makes the server highly scalable as opposed to traditional servers which
create limited threads to handle requests. Node.js uses a single threaded program
and the same program can provide service to a much larger number of requests
than traditional servers like Apache HTTP Server.
• No Buffering − Node.js applications never buffer any data. These applications
simply output the data in chunks.
• License − Node.js is released under the MIT license.

Concepts
The following diagram depicts some important parts of Node.js

Application of Node.js
Following are the areas where Node.js is proving itself as a perfect technology partner.
• I/O bound Applications
• Data Streaming Applications
• Data Intensive Real-time Applications (DIRT)
• JSON APIs based Applications
• Single Page Applications
MongoDB Atlas
MongoDB Atlas is a fully-managed cloud database developed by the same people that
build MongoDB. Atlas handles all the complexity of deploying, managing, and healing
your deployments on the cloud service provider of your choice (AWS, Azure, and GCP).
The service is built to handle enterprise workloads, with support for global clusters.
You can store your data with Amazon Web Services (AWS), Google Cloud Platform, or
Microsoft Azure. However, you don’t need to set up an account with any of these
platforms. MongoDB Atlas takes care of all this behind the scenes.
MongoDB Atlas also automatically handles backend administrative processes such as
provisioning resources, setting up clusters, or scaling services. Most of the tasks you
perform are simple point-and-click operations that you carry out through the service’s
centralized web interface.
Features included with MongoDB Atlas free cluster
• 512 MB of storage
• Shared RAM
• Highly available replica sets, end-to-end encryption, automated patches, REST
API
• Max connections: 100
• Network performance: Low
• Max databases: 100
• Max collections: 500
The free tier cluster regions available are:
• N. Virginia (us-east-1)
• Frankfurt (eu-central-1)
• Singapore (ap-southeast-1)
• Mumbai (ap-south-1)
SCREENSHOTS
Initial database
Register

Database after registering

Initial Developer console (Network Tab)

Initial Developer console (Application Tab)

Login (with correct info)

After Login
After login Developer console (Network Tab)

Encrypted Payload used for requesting to the server

After login Developer console (Aplication Tab)

This encrypted token is used for secured communication between browser

and server.
Requesting server for user info using the same token after
putting it in authorization header
Response from the server

Login (with wrong info)

Payload Still there but no response from the server

No token stored
EXECUTION VIDEO
https://drive.google.com/file/d/1AFUX93dhA5pew8WG-
Cqrsll_1rBvjyLR/view?usp=sharing

REFERENCES
1. https://jwt.io/introduction/
2. https://www.knowi.com/blog/getting-started-with-mongodb-atlas-overview-and-
tutorial/
3. https://nodejs.dev/learn
4. https://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-
example-in-laravel-and-angularjs
5. https://www.ably.io/tutorials/jwt-authentication
6. https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_pyt
hon_understanding_rsa_algorithm.htm