tesst

Biscuits attacks

Introduction 🍪

Biscuits are a type of bearer token that offer offline attenuation and decentralized verification. They are designed to be small and efficient, making them suitable for storage in HTTP cookies. However, like any security mechanism, Biscuits are not immune to attacks.

To sum up, Biscuit provides tools to build a complete, cross platform authorization system:

  • an authorization token, verified by public key cryptography, that supports offline attenuation

  • a logic language based on Datalog to write authorization policies

  • a server side library, available for multiple languages, to write authorizers in your applications

  • a command line application to create, attenuate, inspect and authorize tokens

  • WebAssembly components to create, attenuate, inspect and authorize tokens, as well as to write and debug authorization policies

Example

We can get a exemple of Biscuit like this on https://www.biscuitsec.org/ :

En0KEwoEMTIzNBgDIgkKBwgKEgMYgAgSJAgAEiAs2CFWr5WyHHWEiMhTXxVNw4gP7PlADPaGfr_AQk9WohpA6LZTjFfFhcFQrMsp2O7bOI9BOzP-jIE5PGhha62HDfX4t5FLQivX5rUhH5iTv2c-rd0kDSazrww4cD1UCeytDSIiCiCfMgpVPOuqq371l1wHVhCXoIscKW-wrwiKN80vR_Rfzg==

Vulnerabilities

CVE-2024-42350

https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m

CVE-2022-31053

https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr

EdDSA Fault Attack

https://github.com/kudelskisecurity/EdDSA-fault-attack

Conclusion 🏁

Biscuits offer a powerful and flexible authorization mechanism, but they are not without security risks. By understanding these threats and implementing appropriate countermeasures, you can significantly reduce the likelihood of successful Biscuit attacks and protect your online assets. 🛡️

PreviousJWT AttacksNextTryHackMe

Last updated