JWT 安全漏洞
常見 JWT 攻擊
1. None 演算法攻擊
import jwt
# 攻擊者修改 header: {"alg": "none"}
token = "eyJhbGciOiAibm9uZSJ9.eyJ1c2VyX2lkIjogMX0."
# 某些舊版函式庫會接受 none 演算法!
# ✅ 安全寫法 - 指定演算法
jwt.decode(token, secret, algorithms=["HS256"])
2. 弱密鑰爆破
# 攻擊者嘗試常見密鑰
common_secrets = ["secret", "password", "123456", "key", "jwt_secret"]
for s in common_secrets:
try:
payload = jwt.decode(token, s, algorithms=["HS256"])
print(f"密鑰找到了: {s}")
break
except:
pass
3. Vibe Prompt
「幫我實作安全的 JWT 認證中間件:使用 RS256(非對稱加密)、設定短有效期、加入 Refresh Token 機制。」
from fastapi import FastAPI, Depends, HTTPException
from fastapi.security import HTTPBearer
import jwt, time
app = FastAPI()
security = HTTPBearer()
PRIVATE_KEY = open("private.pem").read()
PUBLIC_KEY = open("public.pem").read()
def create_access_token(user_id: int):
return jwt.encode({
"user_id": user_id,
"exp": time.time() + 3600, # 1 小時
"iat": time.time()
}, PRIVATE_KEY, algorithm="RS256")
def verify_token(credentials=Depends(security)):
try:
payload = jwt.decode(
credentials.credentials, PUBLIC_KEY,
algorithms=["RS256"]
)
return payload["user_id"]
except jwt.ExpiredSignatureError:
raise HTTPException(401, "Token 已過期")
except jwt.InvalidTokenError:
raise HTTPException(401, "無效 Token")
@app.get("/me")
def get_me(user_id=Depends(verify_token)):
return {"user_id": user_id}