Attack Prevention for JWT Authentication with Single-Page Application

Secure Cookies

Man-In-the-Middle (MITM)

  • Use HTTPS/TLS everywhere a cookie will be in transit
    • Set Secure flag on cookies – will prevent cookies from being transmitted in non-secure network

Cross-Site Request Forgery (CSRF)

Attacker can create a page on some host which has some JavaScript code that invokes our token generation URL and gets a JWT token. If you happened to have gotten to my page after you had logged in (which with SSO, it’s more and more likely that you have), then that JavaScript code can get a JWT token and invoke REST services on your behalf.

Another scenario could be that an attacker creates a page with malicious image, for example, <img src=”″>. In this case, browser will send cookies for, and server trusts cookies and assume this was an intended user action.

This is because that HTML tags do not follow the Same-Origin-Policy when making GET requests.

  • Synchronizer Token – for form-based web app
  • Double-Submit Cookie – for modern apps, like SPA
    • Use two cookies
      • One authentication cookie, like Session ID or JWT token
      • One strong random value, let’s call it csrf-token
    • Client needs to send back the csrf-token cookie in a custom HTTP header, triggering the Same-Origin-Policy
    • Server needs to verify that the custom HTTP header for the csrf-token has the correct value
    • Server needs to have correct Cross-Origin Resource Sharing policy to only receive requests from trusted origin, preferably only from the same host
      • So that we can ensure that the forged page cannot send requests to the server

Cross-Site Scripting (XSS)

  • Escape content
    • Escape user input from forms so that user will not be able to inject html/javascript code to the page
  • Handling customization with caution
  • Set HttpOnly flag on authentication cookies
    • HttpOnly cookies are NOT accessible by JavaScript. These cookies will only be automatically attached to the request header by the browser

Adopt JWT the Right Way

Use the claims body wisely

  • Include role information in “scope” part to handle client side UI authorization locally

Use OAuth2 + JWT

  • Access & Refresh Tokens
    • Access token expires before refresh token
    • Access token is stateless, trusted by signature, used for client-server communication
    • Refresh token is stateful, can be revoked, used to get more access token
  • For example
    • Super-secure banking application (want to force user out often)
      • Access token TTL – 1 min
      • Refresh token TTL – 30 mins
    • Mobile/social app (user should always stay logged in)
      • Access token TTL – 1 hour
      • Refresh token TTL – 1 year

Storing & Transmitting JWTs – in the browser

  • Local storage is XSS vulnerable
  • Cookies with HttpOnly and Secure flags, and other CSRF prevention, are secure
    • However this will prevent us from being able to inject the token as HTTP request header
    • Will need to pass the token as part of the cookie
      • Existing framework might not support that (OWSM multi_token_rest_service_policy)
  • Avoid cross-domain requests where possible


JWT Authentication with AngularJS –

No Comments

关于8.12“DC District Court废STEM-Extension”一案的个人解读



故事的起因就是一帮美国技术工人觉得饭碗都让外国人抢了,就有个叫Washington Alliance Of Technology Workers的组织跑出来把美国国土安全局给告了,说他们在2008年发的这个OPT STEM extension不合法,要废除。


DHS noted that the 2008 Rule was issued without notice and public comment “[t]o avoid a loss of skilled students through the next round of H-1B filings in April 2008.”

同时还说DHS在推出这条规定以后改了好几次都没有公开听证,而且STEM list的修改他们就直接在自己网站上改了,见原文:

Since promulgating this interim rule, DHS has on several occasions modified, without notice and comment, the list of disciplines that qualify for the STEM extension via updates to their website.


In Counts I-III, plaintiff alleges that the OPT program exceeds DHS’s statutory authority and conflicts with other statutory requirements, including the labor certifications related to H-1B visas.
这条被法院dismissed了,就不细看了。大概就是说DHS没权利制定这么一个OPT program,开OPT违反了诸多法律,但法院没理这条。原文里有很长一段分析。

In Count IV, plaintiff argues that DHS acted arbitrarily and capriciously in promulgating the 2008 Rule.
这条是说DHS在2008年推出STEM EXT的时候是武断及任性的,办事欠考虑。

In Count V, plaintiff argues that DHS lacked good cause to waive the notice and comment requirement in promulgating the rule.

In Count VI, plaintiff contends that DHS’s reference to an external website to list the STEM courses of study violates the relevant rules on incorporation by reference.
这条是找STEM courses列表的茬,说又违反了一个规定,具体没有太看。

In Counts VII-VIII, plaintiff claims that DHS improperly failed to allow for notice and comment before issuing the 2011 and 2012 modifications of the list of STEM disciplines.

And in Count IX, plaintiff argues that the 2008 Rule and the subsequent 2011 and 2012 modifications exceeded DHS’s statutory authority.
最后这条是说OPT extension以及接下来2011和2012年的修改超出了DHS的立法范围。这条和第一条不一样,第一条是说OPT这个program本身就不行,被法院否了,这条是说extension这个事儿。



大概就是说法院认为2008年的时候DHS给出的“来不及做听证就推出规定的理由”不够有“说服力(good cause)”,所以不行,你们得重新听证,过了才可以继续实行这个规定。

然而在判决书的结尾提到下面一段原文,大意就是现在在用STEM extension的人太多了,如果我们直接判决取消这个规定会有上万人立即失去工作许可/身份,要被遣送出境,对美国的科技企业影响太大。所以法院提出了取消STEM extension的判决,但这个判决的诉讼令(vacatur)被延迟(stayed)到2016年2月12日执行。在此之前DHS有半年时间来进行听证或者干一些别的事儿来进行补救。

While DHS has not disclosed the number of aliens currently taking advantage of the OPT STEM extension, the Court has no doubt that vacating the 2008 Rule would force “thousands of foreign students with work authorizations . . . to scramble to depart the United States. Vacating the 2008 Rule could also impose a costly burden on the U.S. tech sector if thousands of young workers had to leave their jobs in short order. The Court sees no way of immediately restoring the pre-2008 status quo without causing substantial hardship for foreign students and a major labor disruption for the technology sector. As such, the Court will order that the 2008 Rule – and its subsequent amendments – be vacated, but it will order that the vacatur be stayed.

The stay will last until February 12, 2016, during which time DHS can submit the 2008 Rule for proper notice and comment.


按照文中含义,有可能所有正在使用17-months extension以及将要申请extension的人都会受到影响,因为如果这条规定被废止,那么即便已经拿到工卡(EAD),EAD上的“Terms and Conditions”一项也是没有法律效应的。但这个影响不会发生在2016年2月12号之前。正在使用12个月OPT的人在OPT到期前也不会受到影响。

同时做出这个判决的是DC District Court,DHS还有上诉机会。而且DHS也有机会去重新进行听证并对案件中所提到的不合规定的部分进行修正,这样2008 Rule(STEM extension)仍有可能继续实行。



1 Comment


在Project > Properties > Deployment中可以改相关设置,其中有一项是”Additional Manifest Files to Merge into MANIFEST.MF”,即为添加自定义内容的栏目,然而我试了一个下午都没有什么卵用,直到在网上看到一篇blog才得救。


No Comments


1. 怎么取得摩托车驾照,在DMV?大致流程是什么?有什么难点

笔试通过以后就会拿到类似汽车的learner’s permit,区别在于不像汽车learner要求驾驶时有持有驾照的人陪同,摩托车对于permit的限制是不能上高速、不能夜间驾驶以及不能骑车带人。同时对未成年还有诸多限制。如果是成年人,拿到permit之后就可以去预约riding test了,流程和汽车基本一致,需要自己带车去,考试内容可以参考下面这个视频:。通过之后就会拿到摩托车驾照/签注(endorsement)。
除了这条路,还有另一条路可以选择就是上政府认可的摩托车驾校,通过培训以及考试之后可以拿到政府认证的certificate——DL389,凭此表可以waive掉DMV的路试。我了解的有几种——MSF (Motorcycle Safety Foundation),CMSP (California Motorcycle Safety Program),以及一些类似的项目。我个人是选择了上课,因为我是零基础入门,而且加州的车速太恐怖,想去学一些保命技能。我报名的课程是由Northern California Motorcycle Training, Inc提供的(,成年人价格$258,驾校提供摩托车。课程分为4部分——周四晚上3小时理论课程,周六上午或下午(可选)5小时上车训练,周六晚上3小时理论课程+理论考试,以及周日上午或下午(可选,和周六一致)5小时上车训练+考试。训练项目都比较基础,速度一般控制在20mph以内,训练地点在封闭的停车场内,可以保证安全。理论考试和上车考试都通过以后即可拿到认证。上驾校课程并不要求持有permit,所以为了避免多次去DMV排队的困扰,可以选择上课毕业拿到DL389之后再去DMV,理论考试完后可立即拿到驾照。
2. 选购摩托一般有什么参考网站? 去哪里买?价格如何?需要其它装备吗(头盔等)?

第一个问题完全看个人喜好决定。就像汽车有轿车、SUV、跑车、wagon等等种类一样,摩托车也是有不同种类的,比如sport、cruiser、dirt bike/dual purpose、touring等等,每一种车都有不同的特性和不同的用途。对于新手来讲两个比较重要的因素就是座椅高度和车重。一般摩托车的重量可以低至300磅高至上千磅,轻一点的摩托相对来讲就更灵活一些,而且在没有掌握好平衡的时候也更容易挽救回来,而重的摩托的优势就是稳,有大风吹的时候感觉更安心。座椅高度则是要看个人身高,对于新手来说能把脚在地上放平是比较重要的,尤其是在市区骑行走走停停的时候。一般来说cruiser车型的座椅高度都会相对低一些。当然最好的办法还是去找个dealer,一辆一辆坐上去体验一下——注意千万不要在没有得到许可的情况下坐停在公共场合的别人的车,这对摩托车手来说是非常严重的offense,而且还会有把车碰倒、划伤等风险。
除了款式还有一点要决定的就是动力。关于新手应该用大排量作为第一辆车还是小排量作为第一辆车的争论从来没有停止过。作者个人是选择了相对小排量(300cc)的Kawasaki Ninja 300。个人感觉动力没有那么大,这辆车对驾驶失误的容忍度就会高一些。而且小排量的车会比大排量的车轻,对于新手也是更友善。
第二个问题则是跟买汽车的时候的选择很类似。旧车便宜,练车不心疼,但可能存在一切表面看不出来的问题,比如事故,比如保养不善。作为新手对摩托车不了解的话可能并不能发现这些问题。买新车的话就是贵贵贵。摩托车销售和汽车有一点不同就是买新车的话,dealer一般会加上各种extra fee,比如crate fee, setup fee, freight fee以及destination charge等等,每个dealer在各个项目上收费金额都不尽相同,但一般都挺贵,总额可以在500-1500不等。而买二手车就不会有这个费用(如果遇到了这个费用就是遇到了黑店)。所以买新车还是旧车的选择还是看个人。
如果选择买旧车的话,craigslist上可以找到很多个人出售的旧车,同时也有一些专门做二手车销售的dealer,比如湾区的JM-Motorsports以及在Santa Clara的Santa Clara Cycle Accessories。卖新车的dealer一般也都会有一些二手车出售。
如果选择买新车的话,选好车型以后要做的就是去官网用dealer locator找附近的所有dealer,然后挨家问价砍价,思路和买汽车是一样的。注意问价格的时候直接问OTD(out of the door)价格,同时让dealer给出价格breakdown,这样就能看出各项fee都收了多少,可以在去别家问价的时候进行参考。另外一点就是买新车的一个不错的选择是买“过季”款,就是去年或者前年的库存车,一般来说车不会有太大不同,价格会便宜很多。需要注意的是如果车在仓库里停了太久的话建议买车之后立刻更换一次机油,这一点也是和汽车类似的。

接下来就是靴子。上面提到的驾校要求上车时必须穿”over-the-ankle boots”,原因就是在事故中,好的靴子能对脚和脚踝部位提供很好的保护。设想一下一个骑手发生了一个非常小的事故,车倒了,人和车一起滑出去了,至少有一只脚是被压在车底下一起滑出去的。如果没有好的保护,场面一定十分感人。
除了上述装备,还有一些没提到的装备,比如body armor、护膝等等,有兴趣可以有很多途径进行了解。购买途径则可以有很多选择,比如Amazon,比如卖车的dealer一般都有accessories部门,以及专门的摩托车装备店,比如Cycle Gear,以及上面提到过的Santa Clara Cycle Accessories。

3. 加州有哪些好玩地方可以去开摩托?
并不知道,反正hwy 101不是个好选择……

4. 了解摩托的网站

5. 常见品牌网站

6. 买车


No Comments

Java 使用 Runtime.getRuntime().exec() 以及 Process.waitFor() 调用外部指令时无限挂起

此问题出现原因在JDK document中有写明 ——

Because some native platforms only provide limited buffer size for standard input and output streams, failure to promptly write the input stream or read the output stream of the subprocess may cause the subprocess to block, and even deadlock.

大意就是output stream空间非常有限,写满了没有释放出来,waitFor()就会无限地等下去。



No Comments