HIGH dns cache poisoningbearer tokens

Dns Cache Poisoning with Bearer Tokens

Scan your API now

How DNS Cache Poisoning Manifests in Bearer Tokens

Bearer token validation often relies on a remote introspection or userinfo endpoint to confirm that a token is still active and has not been revoked. When an application builds the URL for that endpoint from a configurable host string, a successful DNS cache poisoning attack can cause the resolver to return an attacker‑controlled IP address for the legitimate host. The application then sends the bearer token (and sometimes client credentials) to the malicious server, which can harvest the token, replay it, or use it to escalate privileges.

Typical vulnerable code paths include:

  • Fetching token introspection from a base URL stored in an environment variable without any additional validation.
  • Using a hardcoded hostname but trusting the OS DNS resolver without DNSSEC validation or certificate pinning.
  • Calling a third‑party userinfo endpoint (e.g., OAuth2 provider) where the hostname is derived from a discovery document that itself could be poisoned.

Example of a vulnerable Node.js snippet that builds the introspection URL from a config value:

// config.introspectionEndpoint = process.env.AUTH_INTROSPECTION_URL
const response = await fetch(`${config.introspectionEndpoint}`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ token: bearerToken })
});
const data = await response.json();
if (!data.active) { throw new Error('Invalid token'); }

If an attacker poisons the DNS for the host in process.env.AUTH_INTROSPECTION_URL, the fetch call goes to the attacker’s server, leaking the bearer token.

Bearer Tokens‑Specific Detection

Detecting this issue requires checking whether the application validates the authenticity of the endpoint it contacts for token validation. Indicators of risk include:

  • The token validation endpoint URL is constructed solely from user‑controlled or environment‑derived strings without an allow‑list of approved hosts.
  • No certificate pinning, DNSSEC verification, or strict TLS hostname validation is performed.
  • The application relies on a remote introspection service instead of locally verifying the token signature (JWT).

middleBrick can help discover these conditions during its unauthenticated black‑box scan. When you submit the base URL of your API, middleBrick probes common token introspection paths (e.g., /oauth/introspect, /userinfo, /auth/token/introspect) and reports:

  • Whether the endpoint returns token details without requiring authentication (a sign that the endpoint is exposed).
  • If the response contains sensitive fields such as access_token, scope, or client_id that could be harvested by an attacker.
  • Any missing security headers (e.g., Strict-Transport-Security) that would mitigate man‑in‑the‑middle attacks.

    • You can run a quick check from the terminal using the middleBrick CLI:

    middlebrick scan https://api.example.com/oauth/introspect

    The output will include a severity rating for the "Token Endpoint Exposure" finding, along with remediation guidance.

Bearer Tokens‑Specific Remediation

Fixing DNS cache poisoning in the context of bearer token validation involves two layers: ensuring the application reaches the genuine authentication server and reducing reliance on remote validation where possible.

1. **Validate the endpoint’s identity** – enforce strict TLS hostname verification and, if feasible, pin the server’s certificate or use DNSSEC‑validated resolvers. In Node.js, the built‑in https module already validates certificates when rejectUnauthorized is set to true (the default). Explicitly set it and avoid disabling it for convenience.

const https = require('https');

const options = {
  hostname: 'auth.example.com',
  port: 443,
  path: '/oauth/introspect',
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  rejectUnauthorized: true   // enforce certificate validation
};

const req = https.request(options, (res) => {
  let data = '';
  res.on('data', chunk => data += chunk);
  res.on('end', () => {
    const payload = JSON.parse(data);
    if (!payload.active) { throw new Error('Token inactive'); }
  });
});

req.on('error', err => { console.error('Request failed', err); });
req.write(JSON.stringify({ token: bearerToken }));
req.end();

2. **Prefer local token verification** – if the bearer token is a JWT, verify its signature, expiration, and audience locally instead of calling an introspection endpoint. This removes the network call that could be poisoned.

const jwt = require('jsonwebtoken');

try {
  const payload = jwt.verify(bearerToken, publicKey, { algorithms: ['RS256'], audience: 'my-api' });
  // payload contains claims; token is valid
} catch (err) {
  // token is invalid or expired
  throw new Error('Invalid token: ' + err.message);
}

3. **Restrict outbound connections** – maintain an allow‑list of trusted authentication hostnames/IPs and reject any DNS resolution that falls outside the list. This can be implemented at the application layer or via network policies (e.g., Kubernetes NetworkPolicy, AWS Security Groups).

By combining strict TLS validation, local JWT verification, and outbound allow‑listing, you eliminate the attack surface that DNS cache poisoning would exploit against bearer token validation.

Scan your API now Free API security scan

Frequently Asked Questions

Does middleBrick fix DNS cache poisoning vulnerabilities automatically?
No. middleBrick only detects and reports the issue, providing detailed findings and remediation guidance. It does not modify your code, configuration, or network settings.
Can I use middleBrick to scan internal APIs that are not publicly reachable?
middleBrick performs unauthenticated black‑box scans from the public internet. For internal‑only endpoints you would need to expose them temporarily (e.g., via a staging URL) or run the CLI/GitHub Action from within your network where the API is reachable.

Related Pages

Dns Cache Poisoning in APIsDns Cache Poisoning in APIsBearer Tokens API SecurityBearer tokens are the most common API authentication mechanism, but they're vulnerable to theft and misuse. Learn how thDns Cache Poisoning on AwsLearn how DNS cache poisoning appears in AWS APIs, how middleBrick detects it, and AWS‑native fixes using validation, VPDns Cache Poisoning on AzureDNS cache poisoning in Azure exploits misconfigured DNS resolvers in Azure Functions, App Service, and AKS. Learn Azure-Hipaa: Dns Cache PoisoningLearn how DNS cache poisoning can lead to HIPAA violations when APIs handle PHI, and how to detect and remediate with miIso 27001: Dns Cache PoisoningLearn how ISO 27001 controls apply to DNS cache poisoning in APIs, including detection via middleBrick and secure code fCis: Dns Cache PoisoningLearn how Cache Poisoning (CIS) manifests in DNS cache poisoning, detection techniques, and remediation code fixes for sGdpr: Dns Cache PoisoningUnderstand how DNS Cache Poisoning risks trigger GDPR violations. Learn to detect SSRF vectors with middleBrick and remeDns Cache Poisoning in Django with Bearer TokensLearn how DNS cache poisoning intersects with Bearer tokens in Django and apply concrete remediation patterns with code Dns Cache Poisoning in Aspnet with Bearer TokensLearn how DNS cache poisoning intersects with Bearer token handling in ASP.NET and apply concrete code fixes to reduce tDns Cache Poisoning in Buffalo with Bearer TokensExplore DNS cache poisoning in Buffalo with Bearer tokens, understand the risk, and apply concrete remediation with codeDns Cache Poisoning in Actix with Bearer TokensExplore DNS Cache Poisoning in Actix with bearer tokens, understand the risks, and apply concrete bearer token remediati