PraisonAI Platform JWT Hardcoded Secret Key Token Forgery

let SuspiciousEndpoints = dynamic(["/api/", "/admin/", "/auth/", "/users/"]);
let KnownForgedClaims = dynamic(["dev-secret-change-me"]);
union
(
    AzureDiagnostics
    | where Category == "ApplicationGatewayAccessLog"
    | where requestUri_s has_any (SuspiciousEndpoints)
    | extend AuthHeader = extract(@'Authorization:\s*Bearer\s+([A-Za-z0-9+/=._-]+)', 1, httpHeaders_s)
    | where isnotempty(AuthHeader)
    | extend JWTPayload = base64_decode_tostring(extract(@'^[^.]+\.([^.]+)', 1, AuthHeader))
    | where JWTPayload has_any ("admin", "superuser", "root") or JWTPayload has "role"
    | project TimeGenerated, clientIP_s, requestUri_s, httpMethod_s, JWTPayload, AuthHeader
),
(
    AppServiceHTTPLogs
    | where ScStatus in (200, 201, 204) and CsMethod in ("GET", "POST", "PUT", "DELETE", "PATCH")
    | where CsUriStem has_any (SuspiciousEndpoints)
    | extend AuthHeader = extract(@'Bearer\s+([A-Za-z0-9+/=._-]+)', 1, CsUriQuery)
    | where isnotempty(AuthHeader)
    | project TimeGenerated, CIp, CsUriStem, CsMethod, ScStatus, AuthHeader
)
| summarize RequestCount = count(), UniqueEndpoints = dcount(requestUri_s ?? CsUriStem), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ClientIP = clientIP_s ?? CIp
| where RequestCount > 5 or UniqueEndpoints > 3
| extend RiskScore = case(UniqueEndpoints > 5, "High", RequestCount > 20, "High", "Medium")
| sort by RequestCount desc

index=web OR index=application sourcetype IN ("access_combined", "nginx:access", "apache:access", "python:flask", "uvicorn")
| rex field=_raw "Authorization:\s*Bearer\s+(?P<jwt_token>[A-Za-z0-9+/=._-]+)"
| where isnotnull(jwt_token)
| rex field=jwt_token "^[^.]+\.(?P<jwt_payload>[^.]+)"
| eval decoded_payload=urldecode(replace(jwt_payload, "-", "+"))
| eval decoded_payload=base64decode(decoded_payload)
| where match(decoded_payload, "(admin|superuser|root|\"role\")") OR match(decoded_payload, "\"sub\":\s*\"[^\"]+\"")
| eval is_suspicious_role=if(match(decoded_payload, "(admin|superuser|is_admin.*true|role.*admin)"), 1, 0)
| stats count AS request_count, dc(uri_path) AS unique_paths, values(uri_path) AS paths_accessed, values(status) AS response_codes, min(_time) AS first_seen, max(_time) AS last_seen BY src_ip, decoded_payload
| where request_count > 3 OR (is_suspicious_role=1 AND request_count >= 1)
| eval risk=case(unique_paths > 5, "high", request_count > 20, "high", is_suspicious_role=1, "high", true(), "medium")
| table _time, src_ip, request_count, unique_paths, paths_accessed, response_codes, decoded_payload, risk
| sort - request_count

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   http.request.method in ("POST", "PUT", "DELETE", "PATCH") and
   url.path like~ "*/api/*" and
   http.request.headers.authorization like~ "Bearer *"]
  [network where event.category == "network" and
   http.response.status_code in (200, 201, 204) and
   url.path like~ "*/admin/*" or url.path like~ "*/users/*"]
| where #sequences >= 1

SELECT
  sourceip AS source_ip,
  "URL" AS request_url,
  "HTTP Method" AS http_method,
  "HTTP Response Code" AS response_code,
  "HTTP User Agent" AS user_agent,
  REGEXP_EXTRACT("HTTP Authorization", 'Bearer\s+([A-Za-z0-9+/=._-]+)', 1) AS jwt_token,
  COUNT(*) AS request_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'nginx', 'IBM Security Access Manager', 'Application Events')
  AND "HTTP Authorization" IMATCHES 'Bearer\s+[A-Za-z0-9+/=._-]+'
  AND ("URL" IMATCHES '.*/api/.*' OR "URL" IMATCHES '.*/admin/.*' OR "URL" IMATCHES '.*/auth/.*')
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') = DATEFORMAT(NOW(), 'yyyy-MM-dd')
GROUP BY sourceip, "HTTP Authorization"
HAVING COUNT(*) > 5 OR "URL" IMATCHES '.*/admin/.*'
ORDER BY request_count DESC
LAST 24 HOURS

_sourceCategory=web/access OR _sourceCategory=application/python
| parse regex "Authorization: Bearer (?P<jwt_token>[A-Za-z0-9+/=._-]+)"
| where !isEmpty(jwt_token)
| parse field=jwt_token "*.*.*" as jwt_header, jwt_payload, jwt_sig nodrop
| where !isEmpty(jwt_payload)
| tourl jwt_payload as decoded_attempt
| if (matches(jwt_payload, "*admin*") OR matches(jwt_payload, "*superuser*") OR matches(jwt_payload, "*is_admin*"), "suspicious", "normal") as token_class
| count as request_count, values(url) as endpoints_accessed by src_ip, token_class, jwt_payload
| where token_class = "suspicious" OR request_count > 10
| sort by request_count desc
| fields src_ip, request_count, endpoints_accessed, token_class, jwt_payload

rule cve_2026_47410_jwt_hardcoded_key_forgery {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects potential exploitation of CVE-2026-47410 praisonai-platform JWT hardcoded secret"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/advisories/GHSA-3qg8-5g3r-79v5"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.network.http.method = /POST|PUT|DELETE|PATCH|GET/
    $http.network.http.request_headers["authorization"] = /Bearer\s+[A-Za-z0-9+\/=._-]+/
    (
      $http.network.http.target_url = /\/api\// or
      $http.network.http.target_url = /\/admin\// or
      $http.network.http.target_url = /\/auth\//
    )
    $http.principal.ip = $ip

  match:
    $ip over 10m

  outcome:
    $request_count = count_distinct($http.network.http.target_url)
    $risk_score = if($request_count > 5, 90, if($request_count > 2, 70, 50))

  condition:
    #http > 3 and $request_count > 1
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| ProcessImageFileName=/python|uvicorn|gunicorn|hypercorn/i
| CommandLine=/praisonai|platform/i
| join type=inner (
    #event_simpleName=NetworkConnectIP4
    | RemotePort in (8000, 8080, 8443, 5000, 3000)
  ) [aid, timestamp]
| stats count() as connection_count, values(RemoteIP) as remote_ips, values(RemotePort) as ports by aid, CommandLine, ProcessImageFileName
| where connection_count > 10
| eval risk = if(connection_count > 50, "critical", if(connection_count > 20, "high", "medium"))
| fields aid, CommandLine, ProcessImageFileName, connection_count, remote_ips, ports, risk
| sort - connection_count