Missing signature verification of JWT

Overview

• Rule ID: java_lang_jwt_verification_bypass

• Applicable Languages: Java

• Weakness ID: CWE-347

Description

Neglecting to verify the signature of JSON Web Tokens (JWTs) undermines the security of an application. Signature verification is essential to validate the authenticity and integrity of JWTs. Without this verification, your application is vulnerable to token forgery and replay attacks, allowing attackers to manipulate or reuse tokens for unauthorized access.

Remediation Guidelines

• Avoid using the parse() method to handle JWTs, as it does not verify the token's signature, creating a significant security vulnerability.

  Copy

  Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); // unsafe

• Use the parseClaimsJws() method when working with JWTs. This method verifies the signature, thereby protecting against the manipulation of token data.

  Copy

  Jwts.parser().setSigningKey(JWT_PASSWORD).parseClaimsJws(accessToken);

References

• JWT for Java Cheat Sheet

• CWE-347: Improper Verification of Cryptographic Signature

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL