Skip to content

Threat model

This threat model covers a correctly configured PassBeyond instance, its public reverse proxy, IdP connection, dynamic state, and backend trust relationship.

Assets

The primary assets are:

  • authenticated access to the protected application;
  • the identity and group data supplied to the backend;
  • JWT and SAML signing keys in dynamic configuration;
  • passthrough tokens in static configuration;
  • IdP metadata and the trust relationship it represents;
  • session JWTs stored in browsers.

Attacker capabilities

Assume an unauthenticated remote attacker can send arbitrary HTTP methods, paths, cookies, and headers to the public domain. The attacker may attempt redirects, replay stolen browser state, forge identity headers, abuse public endpoints, or exhaust resources.

Also consider a network attacker between improperly protected internal components, a low-privilege local user, a compromised backend, and an operator who makes a configuration error.

Threats and controls

ThreatPassBeyond controlDeployment responsibility
Forged SAML responseValidation against configured IdP metadataProtect metadata source and IdP administration
Forged sessionHS256 signature, issuer, time, and algorithm checksProtect dynamic state and browser endpoints with TLS
Identity header spoofingRemoves incoming identity and X-Passbeyond-* headersPrevent direct backend access
Client IP spoofingTrusts forwarding data only from trustedProxies and overwrites downstream headersConfigure narrow proxy addresses
Open redirectReturn URL must be HTTPS and match the configured domain and portConfigure the exact public domain
Proxy loopInstance ID header detects a request returning to the same instanceSet targetURL to the actual backend
Stolen JWT replayShort, signed expiry windowPrevent cookie theft; choose an appropriate timeout
Key disclosureRestricted dynamic file created with private permissionsHarden host, backups, and diagnostics; rotate after disclosure
Backend interceptionUpstream TLS verification enabled by defaultUse a trusted CA and keep verification enabled
Metadata resource exhaustionRemote response capped at 10 MiB and fetched with a timeoutRestrict outbound connectivity and monitor refresh failures
Log injectionSecurity-relevant request data is sanitized before loggingProtect and monitor log access

Residual risks

Session replay

The application JWT is a bearer credential and is not bound to a device, TLS channel, or client key. An attacker who steals it can use it until expiry. PassBeyond has no per-session server-side revocation list.

Delayed identity changes

The JWT carries a snapshot of IdP attributes. Disabling an account or changing its groups at the IdP does not update an already issued session.

Intentional bypasses

A matched passthrough path or token skips SAML authentication by design. Token compromise or an overly broad path exposes the backend independently of the IdP.

Trusted component compromise

A compromised TLS proxy can alter requests before they reach PassBeyond. A compromised PassBeyond host exposes signing keys and sessions. A compromised backend receives user identity data and may ignore authorization rules. These components require independent hardening.

Review triggers

Revisit the threat model whenever you:

  • add a passthrough rule or preserve incoming authorization headers;
  • change the edge proxy or trusted proxy ranges;
  • expose a new backend route or protocol;
  • change IdP metadata delivery or signing requirements;
  • lengthen the session timeout;
  • share storage, networks, or configuration across instances.

Released under the MIT License.