Via Twitter
Authors consider SQLi as main attack vector. Hashed token mitigate r/o SQLi, encrypted mitigate r/w SQLi
That actually doesn't buy you anything. Consider the following table schema:
CREATE TABLE reset_tokens (
tokenid BIGSERIAL PRIMARY KEY,
selector TEXT,
verifier TEXT,
user BIGINT REFERENCES users (userid),
expires TIMESTAMP
);
We recommended hashing the verifier. You might think encryption would mitigate against read/write SQLi, but you can do this:
- Issue a reset for an unprivileged user.
UPDATE reset_tokens SET user = {$target} WHERE selector = {$knownToAttacker}
- Access the URL.
That works even if you can't just break out of the database, into the filesystem, and exfiltrate their encryption keys.
Why not just specify HMAC-SHA256(message=userid, key=verifier) instead of SHA256(verifier)? Then we can avoid the headache that is JWT. :)