Zone Transfer in Adonisjs with Jwt Tokens

A Zone Transfer in the context of AdonisJS with JWT tokens occurs when an attacker can cause the application to disclose internal network or DNS information, or bypass intended authorization boundaries by abusing how JWTs are validated and how route/zone protections are applied. In AdonisJS, zones are often modeled as route groups or policy scopes that should restrict access to certain resources based on tenant, organization, or network boundaries. When JWTs are used for authentication, misconfiguration can allow an authenticated user to perform a zone transfer—reading or manipulating data that should be isolated across zones.

Specifically, this can happen when token validation does not enforce zone or tenant claims strictly, and route guards or policy checks rely only on authentication status rather than validating resource ownership or zone membership. For example, an attacker with a valid JWT might iterate over IDs in a zone-limited endpoint (like /api/orgs/:orgId/projects/:projectId) and access projects belonging to other organizations if the server does not verify that the JWT’s org_id matches the requested orgId for each request. Because JWTs can contain claims such as sub, org_id, roles, and tenant, failing to cross-check those claims against the requested zone allows horizontal privilege escalation across what should be segregated zones.

Additionally, if the application exposes administrative or introspection endpoints that return zone or network details (such as internal hostnames, DNS records, or route metadata) and does not require elevated privileges or validate JWT scopes appropriately, an authenticated user can trigger these endpoints to perform a logical zone transfer—gathering information that facilitates further lateral movement. Common triggers include insecure debug endpoints, overly verbose error messages that leak internal paths, or GraphQL/REST queries that expose zone mappings without validating the requester’s zone membership. In AdonisJS, this often maps to the BOLA/IDOR checks within the 12 parallel security scans, where the scanner tests whether a valid JWT can access or enumerate resources outside the intended scope defined by the token’s claims and route parameters.

Using JWT tokens without additional zone validation also intersects with Property Authorization and Unsafe Consumption checks. If the JWT payload is trusted without verifying scope, audience, or issuer, and if route handlers directly map token claims to database queries without parameter-level authorization, the effective security boundary collapses. Attack patterns like IDOR (Insecure Direct Object References) and BFLA (Business Logic Abuse) emerge when zone boundaries are not enforced server-side per request, even when a valid JWT is present. The scanner detects these by correlating JWT claim usage in authorization decisions with route parameter handling and returns findings mapped to OWASP API Top 10 A01:2019 (Broken Object Level Authorization) and relevant compliance frameworks.

Remediation focuses on strict validation of JWT claims against requested resources and enforcing zone boundaries on every request. In AdonisJS, use route-level or policy-level checks that compare JWT payload claims (such as org_id, tenant, or zone) to route parameters or resource ownership. Never rely solely on the presence of a valid signature; always verify that the token’s claims authorize the specific zone or resource being accessed.

Example JWT setup and validation in AdonisJS:

import { BaseMiddleware } from '@ioc:Adonis/Core/Middleware'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { Jwt } from '@ioc:Adonis/Addons/Auth'

export default class JwtZoneMiddleware extends BaseMiddleware {
  public async handle({ request, auth }: HttpContextContract, next: () => Promise<void>) {
    const token = request.headers()['authorization']?.replace('Bearer ', '')
    if (!token) {
      return response.unauthorized('Missing token')
    }

    let payload: any
    try {
      payload = await Jwt.verify(token, 'your-jwt-secret', { type: 'access' })
    } catch {
      return response.unauthorized('Invalid token')
    }

    // Attach user and zone claims to the request for downstream policies
    request.authUser = { id: payload.sub, orgId: payload.org_id, roles: payload.roles }
    await next()
  }
}

Example policy that enforces zone alignment before allowing access to a project resource:

import { BasePolicy } from '@ioc:Adonis/Core/Policy'
import Project from 'App/Models/Project'

export default class ProjectPolicy {
  async view(authUser, projectId: number) {
    const project = await Project.find(projectId)
    if (!project) {
      return false
    }
    // Enforce zone/tenant boundary: JWT orgId must match project orgId
    return authUser.orgId === project.orgId
  }

  async update(authUser, projectId: number) {
    const project = await Project.find(projectId)
    if (!project) {
      return false
    }
    return authUser.orgId === project.orgId
  }
}

In route definitions, bind the policy and ensure parameters are validated against the JWT claims:

import Route from '@ioc:Adonis/Core/Route'
import ProjectPolicy from 'App/Policies/ProjectPolicy'

Route.group(() => {
  Route.get('projects/:projectId', 'ProjectsController.show').middleware('jwtZone').as('projects.show')
  Route.resource('projects', 'ProjectsController').policy(ProjectPolicy)
}).prefix('api')

Additionally, avoid exposing zone or network metadata via public endpoints. If introspection is required, scope it by JWT claims and require elevated scopes. Regularly test with the middleBrick CLI to verify that a valid JWT cannot access resources outside its org/zone; for example:

# Scan an API with JWT tokens to detect BOLA across zones
middlebrick scan https://api.example.com --auth-type jwt --token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

These steps ensure that JWT tokens are treated as assertions of zone membership and are validated on every request, preventing unintended zone transfers.