Re-discovering a JWT Authentication Bypass in ServiceStack
2 November 2020 at 08:37
TL;DR ServiceStack before version 5.9.2 failed to properly verify JWT signatures, allowing to forge arbitrary tokens and bypass authentication/authorization mechanisms.
The vulnerability was discovered and patched by the ServiceStack team without highlighting the actual impact, so we chose to publish this blog post along with an advisory.
Routine checks –> Auth bypass During a Web Application Penetration Test for one of our customers, I noticed that after the login process through a 3rd-party Oauth service the web application used JWT tokens to track sessions and privileges.