The recent XC WAAP release supports the JWT discovery and extracts the claims from the token.

It could be powerful to stop access control-related attacks if we can set the policy based on JWT claims in XC WAAP. For example, if the user's group info is included as a token claim and we can enforce the policy based on the claim, we can stop/mitigate the BFLA attack effectively.

Updated - 6th July, 2023.

Business requirement: One of the key vulnerabilities listed in OWASP API Top 10, BFLA(Broken Function Level Authorization), can be addressed by this feature.

Example Attack Scenarios [Source - OWASP https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/]

Scenario #1

During the registration process for an application that allows only invited users to join, the mobile application triggers an API call to GET /api/invites/{invite_guid}. The response contains a JSON with details about the invite, including the user's role and the user's email.

An attacker duplicates the request and manipulates the HTTP method and endpoint to POST /api/invites/new. This endpoint should only be accessed by administrators using the admin console. The endpoint does not implement function level authorization checks.

The attacker exploits the issue and sends a new invite with admin privileges:

POST /api/invites/new

{
  "email": "attacker@somehost.com",
  "role":"admin"
}

Later on, the attacker uses the maliciously crafted invite in order to create themselves an admin account and gain full access to the system.

James> To prevent the above attack, XC must be able to perform two things. XC needs to identify the user's group information, and the user's group info can be added to the JWT as a claim. Once XC extracts the user's group info from the JWT, it should be able to enforce the access control using the CRUD control. CRUD(Create, Read, Update, Delete) is a common method to restrict the user's action in API security. XC can use different HTTP methods to support CRUD control. In the above example, XC can extract the user's group info from the JWT. If the user's group is the 'admin', then XC can allow both GET(Read) and POST(Create) actions for the API endpoint(/api/invites/new). And if the user's group info is a non-admin such as 'external users', then XC can allow GET(Read) action only or doesn't allow any action for the API endpoint.(/api/invites/new)