Security vulnerability analysis

This page should gather known attack vectors on the system, their severity and how to possibly fix them


Disclosure of JWT shared secret 

Description:To generate JWT tokens, a common shared secret is needed. Currently this secret is spread by docker secrets, where it is savely encrypted in the docker swarm RAFT log. Breaches could happen before inputting it to docker secret or after docker secret disclosed it to services. Currently, oms.sh writes it to a file which lays in /secrets, alongside other critical secrets.
Possible exploit: With the jwt shared secret, an attacker can create himself an API token with admin permissions as access tokens are not checked against a database. Gaining control over a single service with that token or alternatively leaking the secrets folder would expose full access to the system.
Migitations:

  • Check access tokens in each service (would introduce significant overhead in each request),
  • frequently cycle JWT shared secrets (might disable refresh tokens),
  • use different secrets for Access and Refresh token, cycle Access token only (Attacker could still forge a refresh token for an admin account)
  • Use docker-swarm and don't save tokens in that folder.
  • Delete folder after bootstrapping


Using the password reset form to spam users

Description: The password reset functionality sends an email with a reset token to validate user authenticity. The user can request infinite of those tokens.
Possible exploit: In case an attacker knows the email of a user to the system, he could request infinite password reset tokens for that user, spamming his inbox
Migitations: Limit maximum number of password resets per time for a user.