Missing signature verification of JWT

Overview

Rule ID: java_lang_jwt_verification_bypass
Applicable Languages: Java
Weakness ID: CWE-347

Description

Neglecting to verify the signature of JSON Web Tokens (JWTs) undermines the security of an application. Signature verification is essential to validate the authenticity and integrity of JWTs. Without this verification, your application is vulnerable to token forgery and replay attacks, allowing attackers to manipulate or reuse tokens for unauthorized access.

Remediation Guidelines

Avoid using the parse() method to handle JWTs, as it does not verify the token's signature, creating a significant security vulnerability.
```
Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); // unsafe
```
Use the parseClaimsJws() method when working with JWTs. This method verifies the signature, thereby protecting against the manipulation of token data.
```
Jwts.parser().setSigningKey(JWT_PASSWORD).parseClaimsJws(accessToken);
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing Secure option in cookie configuration NextMissing SSL host check in SMTP

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration