Back to all scenarios
Scenario #276
Security
Kubernetes v1.21, AKS

JWT Token Replay Attack in Webhook Auth

Reused JWT tokens from intercepted API requests were used to impersonate authorized users.

Find this helpful?
What Happened

A webhook-based authentication system accepted JWTs without checking their freshness. Tokens were reused in replay attacks.

Diagnosis Steps
  • 1Inspected API server logs for duplicate token use.
  • 2Found repeated requests with same JWT from different IPs.
  • 3Correlated with the webhook server not validating expiry/nonce.
Root Cause

Webhook did not validate tokens properly.

Fix/Workaround
• Updated webhook to validate expiry and nonce in tokens.
• Rotated keys and invalidated sessions.
Lessons Learned

Token reuse must be considered in authentication systems.

How to Avoid
  • 1Use time-limited tokens.
  • 2Implement replay protection with nonces or one-time tokens.
Previous ScenarioNext Scenario