Missing signature verification of JWT

PreviousMissing Secure option in cookie configuration NextMissing SSL host check in SMTP

Last updated 9 months ago

Missing signature verification of JWT

Overview

Rule ID: java_lang_jwt_verification_bypass
Applicable Languages: Java
Weakness ID: CWE-347

Description

Neglecting to verify the signature of JSON Web Tokens (JWTs) undermines the security of an application. Signature verification is essential to validate the authenticity and integrity of JWTs. Without this verification, your application is vulnerable to token forgery and replay attacks, allowing attackers to manipulate or reuse tokens for unauthorized access.

Remediation Guidelines

Avoid using the parse() method to handle JWTs, as it does not verify the token's signature, creating a significant security vulnerability.
```
Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); // unsafe
```
Use the parseClaimsJws() method when working with JWTs. This method verifies the signature, thereby protecting against the manipulation of token data.
```
Jwts.parser().setSigningKey(JWT_PASSWORD).parseClaimsJws(accessToken);
```

References

Configuration

PreviousMissing Secure option in cookie configuration NextMissing SSL host check in SMTP

Last updated 9 months ago