[Java]: CWE-321 - Query to detect hardcoded JWT secret keys #670
Description
Query PR
Language
Java
CVE(s) ID list
CWE
CWE-321: Use of Hard-coded Cryptographic Key
Report
-
What is the vulnerability?
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a way to provide information within a JSON object between two parties. JWT is widely used for sharing security information between two parties in web applications. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued. The most basic mistake is using hardcoded secrets for JWT generation/verification. -
How does the vulnerability work?
When JWT secret keys are hardcoded, they will be leaked if the source code (and JWT secret in it) is publicly exposed or leaked. This allows an attacker to forge a valid token then use it in authentication or authorization, which leads to authentication bypass or privilege escalation. -
What strategy do you use in your query to find the vulnerability?
Auth0 implementation of JWT is the de facto library used in Java applications. This query detects insecure usage of hardcoded JWT secret keys in both signing and verification. -
How have you reduced the number of false positives?
By modelling the source and sink carefully, number of false positives are reduced. -
Other information?
Please refer to test cases and the sample program for more information.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response