-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability: Lack of Access Token Signature Verification #687
Comments
Hey @GuillemPM, I am so happy to hear from you! You are right, there is no jwt signature check on the Qwik server. You are right, visually you have an "admin" access but you can't do nothing with it. What do you think, do you want to work on that issue? |
Hello @origranot, i can work on this issue if no one wants it. |
@ymoukhli, Hey, |
@origranot
I can help to extend more the idea of the preferred solution if needed. |
Hey @origranot |
Sounds good, go for it. |
@origranot (Fetch the role of the user when loading the page instead of relying on the cookie JWT payload, then show the menus according to that role, if we decide to use this method we wouldn't need to modify the database and access of pages would be handled by frontend.) |
That's a good idea. I think we should do it as a "server action" and fetch it before the page loads. |
Description
Overview
Upon user login to the Reduced.to platform, an access_token is generated and stored as an HttpOnly cookie. However, the access_token lacks signature verification, enabling an attacker to manipulate the JWT token's payload. Exploiting this vulnerability allows unauthorized users to elevate their privileges by modifying the access_token cookie, granting them access to protected features, such as those restricted to ADMIN roles.
Steps to Reproduce
Expected Behavior
Access tokens should be securely signed to prevent tampering. Any attempt to modify the token payload should result in invalidation of the token.
Actual Behavior
The access_token lacks signature verification, allowing an attacker to modify the payload and update the access_token cookie, thereby gaining unauthorized access to elevated roles and protected features.
Proposed Solution
Implement JWT signature verification for access/refresh tokens on server side to ensure their integrity and prevent tampering.
Screenshots
Additional information
No response
The text was updated successfully, but these errors were encountered: