Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Webhook Security Risk in Tutorial: Missing JWT validation #119

Open
firedigger opened this issue Oct 21, 2024 · 1 comment
Open

Webhook Security Risk in Tutorial: Missing JWT validation #119

firedigger opened this issue Oct 21, 2024 · 1 comment

Comments

@firedigger
Copy link

firedigger commented Oct 21, 2024

I have noticed a security issue in the provided tutorial code 10.3-simple-webhook-dotnet-securing-v2.zip, which involves setting up a webhook that is left unprotected. While JWT attributes are verified, the integrity of the JWT itself via its signature is not, leaving an attacker a very easy way to construct a JWT that will bypass the security checks. I have downloaded the sample and reproduced the issue.

Here’s a simple example of how token-based validation could be added to the webhook handler:

private async Task<RSAParameters> GetRSAParameters(string kid)
{
    using var jsonDocument = JsonDocument.Parse(await httpClientFactory.CreateClient().GetStringAsync("https://login.microsoftonline.com/common/discovery/v2.0/keys"));
    var key = jsonDocument.RootElement.GetProperty("keys").EnumerateArray().First(k => k.GetProperty("kid").GetString() == kid);
    return new RSAParameters
    {
        Modulus = Base64UrlEncoder.DecodeBytes(key.GetProperty("n").GetString()),
        Exponent = Base64UrlEncoder.DecodeBytes(key.GetProperty("e").GetString())
    };
}
var validationResult = await tokenHandler.ValidateTokenAsync(token, new TokenValidationParameters
{
    ValidateIssuerSigningKey = true,
    IssuerSigningKey = new RsaSecurityKey(await GetRSAParameters(parsedToken.Header.Kid)),
    ValidateIssuer = true,
    ValidIssuer = $"https://sts.windows.net/{tid}/",
    ValidateAudience = true,
    ValidAudience = configuration["ClientId"],
    ValidateLifetime = true
});

I have uploaded a full sample to my github and I am also willing to submit a pull request.

@firedigger
Copy link
Author

I found out that the repo maintainer has fixed the issue in the SaaS template at 7 months ago.
Azure/Commercial-Marketplace-SaaS-Accelerator@d59b49d
with similar code. I think the only thing left is to make sure to refer all the existing tutorials to that up-to-date sample.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant