Role Claim Trust

Medium+100 XPA07:2021 Identification and Authentication FailuresCWE-347

JWTAuthorizationRole Escalation

Scenario

Your API accepts JWT tokens and trusts the 'role' claim directly for authorization decisions.

The server maintains a list of trusted roles, but never checks whether the claimed role is in that list.

An attacker can craft a token with role='admin' and gain elevated privileges.

Trusting unverified role claims from tokens without a server-side allowlist enables horizontal and vertical privilege escalation — a common pattern in API authorization bypasses.

Your Tasks

Inspect authorise — it checks payload.role === requiredRole but never verifies the role is in trustedRoles.
Fix it: throw 'Untrusted role claim' if payload.role is not in trustedRoles.
If role IS in trustedRoles but doesn't match requiredRole, throw 'Insufficient role'.
If role is in trustedRoles and matches requiredRole, return {authorised:true}.

Examples

Example 1 — Untrusted role bypasses authorization (bug)

authorise({sub:'eve',role:'admin'}, 'admin', ['user'])
// Returns {authorised:true} — should throw 'Untrusted role claim'!

Example 2 — Trusted role with correct permission

authorise({sub:'alice',role:'admin'}, 'admin', ['admin','user'])
// Returns {authorised:true}

Constraints

›payload has sub (string) and role (string)
›requiredRole is a string
›trustedRoles is an array of strings
›Throw exactly 'Untrusted role claim' or 'Insufficient role' — no other messages

Hint

References

https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run