Performance and Security Comparison of Json Web Tokens (JWT) and Platform Agnostic Security Tokens (PASETO) on RESTful APIs
Adiva Fiqri Nugraha, Herman Kabetta, I Komang Setia Buana, Raden Budiarto Hadiprakoso
Abstract
This research aims to compare the performance and security between Json Web Token (JWT) and Platform Agnostic Security Tokens (PASETO) on RESTful API. Performance is measured through the parameters of token generation time, token size, and token transfer time, while security is measured through the top three API OWASP 2019 vulnerabilities and testing CSRE attacks on tokens. The results from 50 samples show that the average token generation time of JWT is 0.5068 ms and PASETO is 2.4044 ms. The average transfer time of JWT tokens is 95.4604 ms and PASETO 190.4344 ms. The T-test results confirm the significant difference between token generation time and token transfer time in JWT and PASETO. In addition, the number of PASETO tokens generated is also greater at 320 tokens compared to JWT at 186 tokens. In security testing, JWT tokens are proven safe from OWASP 2019 API attacks, such as Broken Object Level Authorization and Excessive Data Exposure, but are not safe from Broken User Authentication attacks. PASETO tokens were shown to be safe from all three attacks. However, neither JWT nor PASETO tokens are safe from CSRE Cookie attacks. The result can be concluded that PASETO has a longer token generation time and transfer time compared to JWT. However, PASETO shows a higher level of security compared to JWT, as it can protect against the top three attacks of the OWASP 2019 API.