Bleichenbacher Attack in Sails with Bearer Tokens
Bleichenbacher Attack in Sails with Bearer Tokens — how this specific combination creates or exposes the vulnerability
A Bleichenbacher attack is a chosen-ciphertext attack originally described against PKCS#1 v1.5 padding in RSA decryption. In the context of Sails.js APIs using Bearer Tokens for authentication, the attack surface arises when token validation or session derivation relies on RSA-based operations (e.g., JWT verification with RS256) and the server exposes differential behavior based on padding validity. Sails is a Node.js MVC framework; if it integrates JSON Web Token verification (for example via passport-jwt or similar strategies) and the underlying library performs RSA decryption/padding checks in a way that leaks validity through timing or error messages, an attacker can iteratively craft ciphertexts to recover the plaintext token or forge tokens without the private key.
Bearer Tokens are often issued as opaque strings or JWTs. When a Sails backend validates a JWT signed with RS256, it typically uses the public key to verify the signature. However, if the validation routine is implemented incorrectly—such as using a low-level RSA operation that distinguishes between padding errors and signature errors—an attacker can mount a Bleichenbacher-style adaptive attack: submitting modified tokens and observing subtle differences in response (HTTP status codes, error messages, timing). This can allow recovery of the effective signing key material or enable token forgery. In Sails, this commonly occurs when custom authentication logic directly calls Node.js crypto functions (e.g., crypto.privateDecrypt) without using constant-time verification helpers, or when error handling inadvertently signals padding validity.
The combination of Sails’ flexible hook system and Bearer Token mechanisms increases risk if developers inadvertently create endpoints that validate tokens in a non-atomic way. For instance, an endpoint that decodes a JWT header, then conditionally processes the payload based on padding correctness can be probed by an automated scanner. middleBrick’s LLM/AI Security checks include Unauthenticated LLM endpoint detection and Active prompt injection testing, which map to the idea of probing endpoints without credentials to observe behavioral differences. Similarly, the scanner’s Authentication and BOLA/IDOR checks can surface endpoints where token validation logic is inconsistent, effectively exposing the conditions that make a Bleichenbacher attack practical.
Real-world analogues include CVE-2016-1000231 (a Bleichenbacher-type attack against TLS RSA padding) and issues in JWT libraries where error messages differ between invalid signature and invalid padding. In Sails, if an API returns 401 with message 'Invalid token' for bad signature but 422 with 'Malformed token' for bad padding, an attacker can distinguish and iteratively decrypt. The OWASP API Security Top 10 category ‘2023-A02: Broken Authentication’ encompasses such design flaws. middleBrick scans test for Authentication inconsistencies and Data Exposure, helping identify endpoints that leak validation status, which is critical to mitigating Bleichenbacher-style adaptive attacks.
Bearer Tokens-Specific Remediation in Sails — concrete code fixes
Remediation centers on using constant-time, high-level JWT verification and avoiding manual RSA padding operations. In Sails, prefer libraries that implement RS256 verification safely (e.g., jsonwebtoken with proper options) and ensure errors are handled uniformly.
Example: Secure JWT verification in a Sails policy
// api/policies/bearer.js
const jwt = require('jsonwebtoken');
const { promisify } = require('util');
const verifyAsync = promisify(jwt.verify).bind(jwt);
module.exports = async function(req, res, next) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.unauthorized('Unauthorized: Bearer token missing');
}
const token = authHeader.split(' ')[1];
try {
// Use a high-level verify call; do not use crypto.privateDecrypt directly.
const decoded = await verifyAsync(token, process.env.JWT_PUBLIC_KEY, {
algorithms: ['RS256'],
clockTolerance: 10, // seconds
});
req.user = decoded;
return next();
} catch (err) {
// Always return a generic error to prevent padding-oracle differentiation.
return res.unauthorized('Unauthorized: Invalid token');
}
};
Key practices:
- Use a maintained JWT library (jsonwebtoken, jose) rather than raw crypto.
- Specify allowed algorithms (e.g., RS256) to prevent algorithm confusion attacks.
- Return the same HTTP status and generic message for any token validation failure (malformed, expired, invalid signature, bad padding).
- Ensure public key loading is robust (e.g., read from a secure environment variable or a JWKS endpoint with caching).
Example: Sails config with custom hook integration (optional)
// config/security.js
module.exports.security = {
bearer: {
enabled: true,
tokenLocation: 'header',
authHeader: 'authorization',
requiredScopes: [],
verifyOptions: {
algorithms: ['RS256'],
clockTolerance: 10,
},
},
};
If integrating with an identity provider, validate tokens using JWKS with a library that handles key rotation and constant-time verification. Avoid implementing custom RSA decryption logic in Sails controllers or services, as this is where padding-oracle risks like Bleichenbacher can be introduced.