0x04e - Add JWT Token aud Claim Check (#1939)

* Update 0x04e-Testing-Authentication-and-Session-Management.md Co-authored-by: cpholguera <[email protected]>
OWASP · Oct 27, 2021 · 47602b0 · 47602b0
1 parent bcbcc13
commit 47602b0
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/Document/0x04e-Testing-Authentication-and-Session-Management.md b/Document/0x04e-Testing-Authentication-and-Session-Management.md
@@ -375,6 +375,7 @@ Verify that the implementation adheres to JWT [best practices](https://stormpath
 - Verify the location of the private signing key or HMAC secret key. The key should remain on the server and should never be shared with the client. It should be available for the issuer and verifier only.
 - Verify that no sensitive data, such as personal identifiable information, is embedded in the JWT. If, for some reason, the architecture requires transmission of such information in the token, make sure that payload encryption is being applied. See the sample Java implementation on the [OWASP JWT Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html "JSON Web Token for Java Cheat Sheet").
 - Make sure that replay attacks are addressed with the `jti` (JWT ID) claim, which gives the JWT a unique identifier.
+- Make sure that cross service relay attacks are addressed with the `aud` (audience) claim, which defines for which application the token is entitled.
 - Verify that tokens are stored securely on the mobile phone, with, for example, KeyChain (iOS) or KeyStore (Android).
 
 #### Enforcing the Hashing Algorithm