dsernst
commented
2 months ago Good one!
Open cjackett opened 2 months ago
dsernst
commented
2 months ago Good one!
arianabuilds
commented
2 months ago Thanks again for participating! This submission earned $90.70 from SIV and $64.42 from the Public Vote, for a total of $155.12.
Here's what we noted in our evaluation:
Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/10
Description: The JWT tokens in
pages/api/admin-check-login-code.tsare currently set with an expiration date far in the future (2038). This could lead to significant security risks if tokens are compromised, as they remain valid for an extended period, providing attackers with prolonged access. Long-lived tokens are also difficult to revoke, particularly in a stateless JWT system, and hinder the ability to adapt to evolving security practices, such as secret rotation or policy updates.Short-lived tokens mitigate these risks by minimizing the impact of a compromised token, simplifying token revocation, and ensuring more frequent re-authentication. They also facilitate adaptation to security changes, as users regularly obtain new tokens that comply with the latest standards.
Affected Code:
Proposed Solution:
Impact: This change will reduce the risk associated with long-lived tokens, ensuring that compromised tokens are only valid for a short period, thereby enhancing the overall security of the application.