Open Closed

JWT Security Key penetration testing issue #11043

mattkeene created

Abp 7.1.0 Angular 13 .NET 6

Hi We have had a critical issue raised by an external pen test company.

The issue us the JWT signing secret / SecurityKey is insecure and follows a pattern. An attacker can determine the JWT secret using publicly available information and gain unauthorised access to the application as any user.

Other example ASP.Net Zero application source code found on the internet showed the secret string pattern to be projectname_8CFB2EC534E14D56. An attacker with an example ASP.Net Zero 8.1.0 application could determine this pattern, along with the project name, through publicly available resources from the aspnetzero GitHub source repository.

The pen testers then created a Python proof-of-concept to generate fraudulent refresh tokens and gain access.

A workaround would be to replace the JWT SecurityKey in appsettings to a strong, randomised key. However, this throws a validation exception when running up the application.

Could you pleae provide some guidance about changing the SecurityKey? We are also happy to provide the pen test report as it is possible there would be a number of your other customer's applications that have the same vulnerability.

1 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi @mattkeene

    When you change the JWT SecurityKey in appsettings.json with a stronger key, it should work. Could you share the error you are getting ? Could you also try in Chrome's incognito mode ?