Sikkerhet: Resource Server Does Not Correctly Validate JWTs #500
Comments
|
Correspondence is connected to #507 |
github-project-automation
bot
moved this from Ready for dev
to ✅ Done
in Altinn melding og formidling
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Fra DAST analyse mot testmiljø:
The application does not correctly validate JWTs, which can be exploited by attackers to present false claims and impersonate other users in the system. JWTs are typically used as access tokens to provide a user with access to a resource or application. The owner of the token sends the JWTs to the resource server (typically an API endpoint) and gets access to the resources, provided that the JWT is considered valid by the resource server.
løsnig:
Validate the JWTs. Ensure that all JWTs contain the expected claims and that those claims are validated:\n\n* The application must reject expired tokens ("exp").\n* The application must reject tokens that are not yet valid ("nbf").\n* The application must reject tokens that are intended for a different resource server of endpoint ("aud").\n* The application must reject tokens that were issued by an unauthorized issuer ("iss").\n* The application must reject tokens with an invalid signature.\n* If the application implements token revocation, the application must reject tokens that are revoked.
The text was updated successfully, but these errors were encountered: