JWT authentication bypass attempt

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a web service is subject to processing insecure, unsigned JWT tokens. Such security activity generally indicates an attacker is tampering tokens to gain unauthorized access to protected resources or impersonate another user.

Strategy

Monitor application security events to detect JWT authentication bypass (@appsec.rule_id:dog-920-001). Also, look at SQL injection triggers because CQL syntax is similar enough to SQL syntax that the SQL patterns catch CQL injection payloads.

The signal severity is determined based on the underlying service behavior:

  • HIGH: The application is determining a valid user, this could indicate impact.
  • MEDIUM: The application is successfully responding to a substantial number of requests containing unsecured tokens.
  • LOW: High rate of unsuccessful requests containing unsecured tokens are being sent to the application.

Triage and response

  1. Consider blocking the attacking IPs temporarily to prevent them from reaching deeper parts of your production systems.
  2. Review if any user or role was effectively impersonated to assess the impact on the services.
  3. Validate if the application accepts unsigned JWT tokens. If it does, fix the code.