| عنوان | DuendeSoftware Identity Server 4 Authentication Bypass Issues |
|---|
| الوصف | During our tests, it was identified that the token renewal endpoint accepts the id_token_hint parameter even after the token expires. This allows a silent session renewal request to be reused to generate new valid tokens without the need for re-authentication.
For exploitation, a legitimate authentication was initially performed on the application. Then, a silent renewal request sent to the endpoint was intercepted:
GET /connect/authorize
The request contained the parameters prompt=none and id_token_hint=<JWT>, responsible for renewing the user's session.
After waiting for the token expiration time (exp), the same request was resent without any modification using an interception tool (e.g., Burp Suite Repeater).
Even with the expired id_token_hint, the server returned a new valid id_token and access_token, demonstrating that the system does not correctly validate the token expiration before issuing new tokens.
This behavior allows an attacker who captures a single renewal request to re-execute it indefinitely, maintaining access to the victim's account without needing credentials or MFA. |
|---|
| المصدر | ⚠️ http://localhost/connect/authorize/callback?client_id= |
|---|
| المستخدم | Edcarlos (UID 53778) |
|---|
| ارسال | 05/03/2026 05:04 AM (2 أشهر منذ) |
|---|
| الاعتدال | 17/03/2026 06:03 PM (13 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 351380 [Duende IdentityServer4 حتى 4.1.2 Token Renewal Endpoint /connect/authorize id_token_hint توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|