You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have noticed a security issue in the provided tutorial code 10.3-simple-webhook-dotnet-securing-v2.zip, which involves setting up a webhook that is left unprotected. While JWT attributes are verified, the integrity of the JWT itself via its signature is not, leaving an attacker a very easy way to construct a JWT that will bypass the security checks. I have downloaded the sample and reproduced the issue.
Here’s a simple example of how token-based validation could be added to the webhook handler:
I found out that the repo maintainer has fixed the issue in the SaaS template at 7 months ago. Azure/Commercial-Marketplace-SaaS-Accelerator@d59b49d
with similar code. I think the only thing left is to make sure to refer all the existing tutorials to that up-to-date sample.
I have noticed a security issue in the provided tutorial code
10.3-simple-webhook-dotnet-securing-v2.zip
, which involves setting up a webhook that is left unprotected. While JWT attributes are verified, the integrity of the JWT itself via its signature is not, leaving an attacker a very easy way to construct a JWT that will bypass the security checks. I have downloaded the sample and reproduced the issue.Here’s a simple example of how token-based validation could be added to the webhook handler:
I have uploaded a full sample to my github and I am also willing to submit a pull request.
The text was updated successfully, but these errors were encountered: