Is there a way that someone could put malicious code inside a JWT and then it get executed?

181 views

Skip to first unread message

Aaron Gray

unread,

Oct 9, 2015, 4:01:43 PM10/9/15

to ruby-jwt

First time JWT user here. I am planning on storing my JWT's client-side, in web storage or in a JS-readable cookie. Since both of these things can be edited by users, I was wondering if it was possible that an attacker could encode malicious code inside the JWT, and then it get executed when I run JWT.decode server-side?

Thanks for any insight into this!

excpt

unread,

Oct 27, 2015, 10:40:58 AM10/27/15

to ruby-jwt

Hi Aaron,

the content inside the token is not executed. The jwt gem decodes the token and returns a hash.

aa...@ponderyourpath.com

unread,

Oct 27, 2015, 12:53:59 PM10/27/15

to ruby-jwt

Very helpful, thanks for the insight!

Reply all

Reply to author

Forward

0 new messages