This page should gather known attack vectors on the system, their severity and how to possibly fix them
Disclosure of JWT shared secret
Description:To generate JWT tokens, a common shared secret is needed. Currently this secret is spread by docker secrets, where it is savely encrypted in the docker swarm RAFT log. Breaches could happen before inputting it to docker secret or after docker secret disclosed it to services. Currently, oms.sh writes it to a file which lays in /secrets, alongside other critical secrets.
Possible exploit: With the jwt shared secret, an attacker can create himself an API token with admin permissions as access tokens are not checked against a database
Migitations:
- Check access tokens in each service (would introduce significant overhead in each request),
- frequently cycle JWT shared secrets (might disable refresh tokens),
- use different secrets for Access and Refresh token, cycle Access token only (Attacker could still forge a refresh token for an admin account)
- Use docker-swarm and don't save tokens in that folder.
- Delete folder after bootstrapping
Using the password reset form to spam users
Description: The password reset functionality sends an email with a reset token to validate user authenticity. The user can request infinite of those tokens.In case an attacker knows the email of a user to the system, he could request infinite password reset tokens