Auth Bypass with Bearer Tokens
How Auth Bypass Manifests in Bearer Tokens
Bearer token authentication is particularly vulnerable to auth bypass when tokens are mishandled or validation is incomplete. The most common pattern involves tokens being accepted without proper verification of their integrity or intended scope. Attackers exploit these weaknesses through several Bearer token-specific attack vectors.
Missing or weak signature validation is a critical vulnerability. When JWTs (JSON Web Tokens) are used as Bearer tokens, failing to verify the cryptographic signature allows attackers to modify token contents. For example, an attacker can change the sub (subject) claim from their user ID to an admin's ID if the server doesn't validate the signature:
// Vulnerable implementation - no signature verification
const token = req.headers.authorization.replace('Bearer ', '');
const decoded = jwt.decode(token); // Decodes without verifying
const userId = decoded.sub;
// Attacker can modify token and bypass auth
Scope and audience validation failures are another major issue. Bearer tokens often carry permissions through claims like scope or aud (audience). If your API doesn't verify these claims match the intended resource, attackers can reuse tokens across services:
// Vulnerable - no scope validation
const token = req.headers.authorization.replace('Bearer ', '');
const decoded = jwt.verify(token, process.env.JWT_SECRET);
// No check if token has 'read:users' scope for this endpoint
Timing attacks on token expiration are Bearer-specific. When servers use exp claims but implement timing-sensitive comparisons, attackers can exploit clock skew or race conditions. Additionally, refresh token misuse occurs when access tokens are accepted even when refresh tokens have been revoked, creating a window for unauthorized access.
Token leakage through insecure transmission is especially problematic for Bearer tokens since they grant immediate access without additional proof of possession. Logging tokens, including them in error responses, or transmitting them over HTTP instead of HTTPS all create auth bypass opportunities.
Bearer Tokens-Specific Detection
Detecting auth bypass in Bearer token implementations requires examining both the token validation logic and the surrounding infrastructure. The first step is verifying that all tokens are cryptographically verified before use. Tools like jwt.io debugger or jsonwebtoken library's verify() method should be used instead of decode().
Automated scanning with middleBrick specifically targets Bearer token vulnerabilities through these checks:
| Check Type | What It Tests | Risk Level |
|---|---|---|
| Signature Verification | Attempts to modify token claims and checks if server accepts altered tokens | Critical |
| Scope Validation | Tests if tokens with insufficient scopes are rejected | High |
| Audience Validation | Attempts cross-service token reuse | High |
| Expiration Handling | Tests clock skew tolerance and expiration edge cases | Medium |
For manual testing, use tools like Burp Suite or OWASP ZAP to intercept Bearer token requests. Modify the token's payload section (the middle part of the JWT) and observe if the server still accepts it. A vulnerable server will process the modified claims without rejecting the token.
Code review should focus on these Bearer-specific patterns:
// What to look for in code reviews
// 1. Missing signature verification
const decoded = jwt.decode(token); // ❌ Dangerous
// 2. Missing scope checks
const hasPermission = decoded.scope.includes(requiredScope); // ✅ Good
if (!hasPermission) return unauthorized();
// 3. Missing audience validation
if (decoded.aud !== expectedAudience) return unauthorized(); // ✅ Good
middleBrick's black-box scanning approach tests these vulnerabilities without requiring source code access. It submits modified tokens to your endpoints and analyzes responses to determine if auth bypass is possible. The scanner also checks for common implementation mistakes like accepting tokens with invalid formats or missing required claims.
Bearer Tokens-Specific Remediation
Fixing Bearer token auth bypass requires implementing proper validation at every layer. Start with mandatory cryptographic signature verification for all JWTs:
// ✅ Correct implementation
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Missing bearer token' });
}
const token = authHeader.replace('Bearer ', '');
let decoded;
try {
decoded = jwt.verify(token, process.env.JWT_SECRET, {
algorithms: ['RS256', 'HS256'] // Specify allowed algorithms
});
} catch (err) {
return res.status(401).json({ error: 'Invalid or expired token' });
}
Always validate token claims beyond just signature verification. Check that the token's aud (audience) matches your API, verify scope claims for authorization, and confirm the iss (issuer) is trusted:
// ✅ Comprehensive validation
function validateBearerToken(req, res, next) {
const token = extractBearerToken(req);
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
// Validate audience
if (decoded.aud !== process.env.API_AUDIENCE) {
throw new Error('Invalid audience');
}
// Validate issuer
if (decoded.iss !== process.env.TRUSTED_ISSUER) {
throw new Error('Invalid issuer');
}
// Validate scope for this endpoint
const requiredScope = getRequiredScope(req);
if (!decoded.scope?.includes(requiredScope)) {
throw new Error('Insufficient scope');
}
req.user = decoded;
next();
} catch (err) {
return res.status(401).json({ error: 'Authentication failed' });
}
}
Implement timing-safe comparisons for all token validations to prevent timing attacks. Use libraries that provide constant-time comparison functions rather than direct equality operators.
For refresh token security, implement proper token revocation tracking. When a user logs out or their session is terminated, ensure all associated tokens are invalidated:
// ✅ Token revocation tracking
const isTokenRevoked = async (token) => {
const jti = jwt.decode(token, { complete: true })?.payload.jti;
const revoked = await redis.get(`revoked:${jti}`);
return revoked !== null;
};
Always use HTTPS for all API communications to prevent token interception. Set secure, HTTP-only cookies if using token-based sessions, and implement proper CORS policies to prevent unauthorized token usage from malicious domains.
middleBrick's GitHub Action can be integrated into your CI/CD pipeline to automatically scan for these Bearer token vulnerabilities before deployment. Configure it to fail builds if critical auth bypass issues are detected:
# .github/workflows/security.yml
name: API Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run middleBrick Scan
run: |
npx middlebrick scan https://api.yourdomain.com
continue-on-error: false # Fail build on security issues
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |