First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim’s expected issuer. AWS subsequently signs the attacker’s forged token with the victim’s issuer. Finally, the attacker uses this minted token against the victim’s application, bypassing both authentication and authorization.
「AWS ALBの脆弱性」と騒がれているけれど、普通にIssuerの検証、JWTトークンの検証、ALBのトラフィックの制限、セキュリティグループの設定をやっていれば関係なくない? 「AWS ALBのベストプラクティスを無視した間抜けが作ったアプリの脆弱性」では?