Credential Stuffing in Fiber with Jwt Tokens
Credential Stuffing in Fiber with Jwt Tokens — how this specific combination creates or exposes the vulnerability
Credential stuffing is an automated attack where stolen username and password pairs are systematically attempted against a login endpoint. When an API built with Fiber uses JSON Web Tokens (JWT) for authentication without additional protections, the attack surface centers on the token issuance path. JWTs are typically issued after verifying credentials, and if rate limiting or authentication checks are absent on the token endpoint, attackers can submit many credential pairs and receive valid tokens for valid accounts.
In a Fiber service, a common pattern is to parse a JSON payload, verify the user, and then sign a JWT using a server-side key. If this endpoint does not enforce per-IP or per-account attempt limits, or if it does not require any proof of work or captcha, an attacker can use tools to iterate through lists of credentials. Successful authentication results in a JWT being returned, which the attacker can then reuse to access protected routes that rely on the token for authorization.
The vulnerability is compounded when the JWT contains excessive claims or lacks proper audience and issuer validation, because a stolen token can be accepted across multiple services. Additionally, if tokens have long expiration times, the window of exposure increases. The unauthenticated scan capability of middleBrick tests for missing rate limiting on authentication endpoints and checks whether tokens are issued without sufficient verification, mapping findings to the Authentication and BOLA/IDOR checks in the 12-security framework.
Consider a typical Fiber login route that does not throttle requests:
const jwt = require('jsonwebtoken');
const express = require('express');
const app = express();
app.use(express.json());
app.post('/login', (req, res) => {
const { email, password } = req.body;
// simplified credential check
if (email === '[email protected]' && password === 'correct') {
const token = jwt.sign({ sub: email, role: 'user' }, 'secret-key', { expiresIn: '24h' });
return res.json({ token });
}
res.status(401).json({ error: 'invalid credentials' });
});
In this example, an attacker can repeatedly POST credentials to /login and, upon a successful match, obtain a JWT. middleBrick’s authentication checks would flag the absence of rate limiting and would highlight the risk of token issuance without multi-factor verification or adaptive controls.
Furthermore, if the application accepts JWTs from multiple sources without validating the algorithm or verifying token integrity, attackers may exploit weak key material or algorithm confusion. The scan examines token handling practices and flags cases where tokens are accepted without proper validation, aligning with the Data Exposure and Encryption checks.
Jwt Tokens-Specific Remediation in Fiber — concrete code fixes
To mitigate credential stuffing when using JWTs in Fiber, implement rate limiting on the login endpoint, enforce strong password policies, and validate tokens rigorously. Use middleware to throttle requests per IP or per user identifier before credentials are checked. When issuing tokens, include minimal claims, set reasonable expiration, and validate audience and issuer on every verification.
Below is a revised Fiber login route that incorporates rate limiting using a memory store and enforces stricter token practices:
const jwt = require('jsonwebtoken');
const express = require('express');
const app = express();
app.use(express.json());
const rateLimitWindowMs = 15 * 60 * 1000; // 15 minutes
const maxAttempts = 5;
const attempts = new Map();
function rateLimit(ip) {
const now = Date.now();
const record = attempts.get(ip) || { count: 0, start: now };
if (now - record.start > rateLimitWindowMs) {
record.count = 1;
record.start = now;
} else {
record.count += 1;
}
attempts.set(ip, record);
return record.count > maxAttempts;
}
app.post('/login', (req, res) => {
const ip = req.ip;
if (rateLimit(ip)) {
return res.status(429).json({ error: 'too many attempts' });
}
const { email, password } = req.body;
// replace with secure user lookup and password hashing check
if (email === '[email protected]' && password === 'correct') {
const token = jwt.sign(
{ sub: email, role: 'user' },
process.env.JWT_SECRET || 'secret-key',
{ algorithm: 'HS256', expiresIn: '15m', audience: 'my-api', issuer: 'fiber-service' }
);
return res.json({ token });
}
res.status(401).json({ error: 'invalid credentials' });
});
// middleware to verify JWT on protected routes
function authenticate(req, res, next) {
const auth = req.headers.authorization;
if (!auth || !auth.startsWith('Bearer ')) {
return res.status(401).json({ error: 'missing token' });
}
const token = auth.substring(7);
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET || 'secret-key', {
audience: 'my-api',
issuer: 'fiber-service',
});
req.user = decoded;
return next();
} catch (err) {
return res.status(401).json({ error: 'invalid token' });
}
}
app.get('/profile', authenticate, (req, res) => {
res.json({ user: req.user.sub });
});
Key remediation points include:
- Rate limiting on the login endpoint to reduce brute-force effectiveness.
- Using environment variables for secrets and avoiding hard-coded keys.
- Specifying algorithm (HS256), audience, and issuer during signing and verification to prevent token misuse.
- Shortening token lifetime and validating claims on each request to limit exposure.
middleBrick’s CLI can be used to re-scan the endpoint after changes to confirm that authentication and token handling findings improve, and the GitHub Action can enforce a minimum score before allowing deployments.