HIGH auth bypasshanamibearer tokens

Auth Bypass in Hanami with Bearer Tokens

Scan for auth bypass in hanami

Auth Bypass in Hanami with Bearer Tokens — how this specific combination creates or exposes the vulnerability

Hanami is a Ruby web framework that encourages explicit, layered security. When Bearer Tokens are used for authentication, a misconfiguration in how tokens are validated can lead to an authentication bypass. This typically occurs when token verification is applied inconsistently across routes or when the application fails to enforce token presence on specific endpoints that should be protected.

In a black-box scan, middleBrick tests unauthenticated access to authenticated endpoints and checks whether a valid Bearer Token is required. If an endpoint returns sensitive data or performs privileged actions without validating the Authorization header, this is flagged as an authentication bypass. Attackers can exploit this by making direct HTTP requests with missing or malformed Bearer Tokens and observing whether access is granted.

For example, an API route that manages user roles might be implemented without a token check in a specific action or controller, while other routes correctly enforce token validation. This inconsistency creates an attack surface where an unauthenticated or low-privilege user can perform administrative actions. MiddleBrick’s checks for BOLA/IDOR and Authentication are designed to detect these gaps by probing endpoints without credentials and analyzing how the application responds.

Real-world patterns that contribute to this issue include conditionally skipping authentication logic, using before filters that do not apply to all actions, or incorrectly scoping token validation to only certain controllers. The framework’s emphasis on modular apps can increase risk if each slice or endpoint does not explicitly enforce token requirements. Scanning with tools that understand Hanami’s architecture helps surface these inconsistencies before they are exploited in production.

Bearer Tokens-Specific Remediation in Hanami — concrete code fixes

Remediation centers on consistently verifying Bearer Tokens across all endpoints and ensuring that token validation cannot be bypassed by route or controller omission. Below are concrete, realistic examples for Hanami applications.

First, ensure your application verifies the Authorization header on every request. In a Hanami controller, you can define a private method that checks for a valid token and use it as a before action:

module Web
  module Controllers
    module Api
      class BaseController < Hanami::Controller
        before_action :authenticate_with_bearer_token

        private

        def authenticate_with_bearer_token
          header = request.env['HTTP_AUTHORIZATION']
          unless header&.start_with?('Bearer ')
            halt 401, { error: 'Unauthorized' }.to_json
          end

          token = header.split(' ').last
          unless valid_token?(token)
            halt 403, { error: 'Forbidden' }.to_json
          end
        end

        def valid_token?(token)
          # Replace with your token validation logic, e.g., lookup in DB or JWT verification
          TokenRepository.new.find_by_value(token).present?
        end
      end
    end
  end
end

Second, apply this base controller to all API controllers that require protection. For example, a user management endpoint should inherit from the secured base controller:

module Web
  module Controllers
    module Users
      class UpdateController < Api::BaseController
        def call(params)
          user = UserRepository.find(params[:id])
          # perform update
          Response::Ok.render(user: user.to_json)
        end
      end
    end
  end
end

Third, avoid conditional or opt-in authentication. Do not define actions that skip the before_action or rely on developer discipline to add token checks. Instead, adopt a default-deny approach where authentication is required unless explicitly overridden in a controlled manner:

module Web
  module Controllers
    module Public
      class ArticlesController < Hanami::Controller
        # No authentication required for public read-only endpoints
        def show(params)
          article = ArticleRepository.find(params[:id])
          Response::Ok.render(article: article.to_json)
        end
      end
    end
  end
end

Finally, validate token scope and expiration as part of your verification logic. Ensure that tokens are not accepted beyond their validity window and that they carry the necessary permissions for the requested action. middleBrick’s checks for Authentication and BOLA/IDOR will surface missing or overly permissive token handling, and its findings include remediation guidance mapped to frameworks such as OWASP API Top 10.

Related CWEs: authentication

CWE IDNameSeverity
CWE-287Improper Authentication CRITICAL
CWE-306Missing Authentication for Critical Function CRITICAL
CWE-307Brute Force HIGH
CWE-308Single-Factor Authentication MEDIUM
CWE-309Use of Password System for Primary Authentication MEDIUM
CWE-347Improper Verification of Cryptographic Signature HIGH
CWE-384Session Fixation HIGH
CWE-521Weak Password Requirements MEDIUM
CWE-613Insufficient Session Expiration MEDIUM
CWE-640Weak Password Recovery HIGH
Scan for auth bypass in hanami Free API security scan

Frequently Asked Questions

How can I verify my Hanami app requires Bearer Tokens on every protected route?
Use unauthenticated requests against authenticated endpoints and inspect responses. With tools that perform black-box checks, probe routes that should be protected and confirm that 401/403 responses are returned without valid Bearer Tokens.
What should I do if my scan shows an Authentication bypass in the Bearer Token flow?
Ensure all controllers that handle sensitive operations inherit from a secured base controller that enforces token validation. Remove any before_action skips or public exemptions for authenticated endpoints, and validate token scope and expiration in the verification logic.

Related Pages

Auth Bypass in HanamiAuth bypass vulnerabilities in Hanami applications stem from misconfigured filters, route constraints, and session handlAuth Bypass with Bearer TokensLearn how Bearer token auth bypass vulnerabilities occur through signature validation failures, scope issues, and impropAuth Bypass in Hanami on DigitaloceanAuth Bypass in Hanami on Digitalocean: causes, real code fixes, and session security guidance.Auth Bypass in Hanami on AwsExplore auth bypass risks when Hanami runs on AWS. Understand edge misconfigurations and apply concrete Ruby and CloudFoAuth Bypass in Hanami on CloudflareExplore auth bypass risks in Hanami behind Cloudflare with concrete remediation and Cloudflare configuration examples.Auth Bypass in Hanami on AzureExplore Auth Bypass in Hanami with Azure: causes, IDOR, remediation code, and RBAC scoping guidance.Owasp Api Top 10: Auth Bypass in HanamiExplore OWASP API Top 10 authentication bypass in Hanami APIs, with concrete Hanami code fixes to enforce authenticationHipaa: Auth Bypass in HanamiHIPAA-aware guidance on authentication bypass risks in Hanami apps with concrete Hanami code fixes and policy patterns.Gdpr: Auth Bypass in HanamiUnderstand how authentication bypass in Hanami can violate GDPR and apply concrete Hanami code fixes for ownership checkNist: Auth Bypass in HanamiExplore NIST authentication bypass risks in Hanami APIs with concrete Hanami code examples and remediation patterns.Auth Bypass in Hanami with DynamodbAuth Bypass in Hanami with DynamoDB: causes, detection, and DynamoDB-specific remediation examples and checks.Auth Bypass in Hanami with CockroachdbAuth bypass in Hanami with CockroachDB: causes, scoped repository patterns, and concrete code fixes to enforce tenant an