Skip to main content

Insecurely generated token - JWT

Description

The token used to consume the user creation service in the application is not generated securely, because the key that signs the token is weak and was easily found as indicated in the finding of weak credentials. For this reason, an attacker can modify token parameters such as the expiration date to consume the service, and perform queries in the application.

Impact

Use the user creation service within the application with a token signed by an attacker in a legitimate way.

Recommendation

Use strong passwords for signing and verification of the user creation token.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application creates token signature with a secure encryption method

const token = jwt.sign({ username }, jwtKey, {
algorithm: "HS256",
expiresIn: jwtExpirySeconds,
})

Non compliant code

The application creates a token signature with an insecure algorithm

const token = jwt.sign({ username }, jwtKey, {
algorithm: "RC128",
expiresIn: jwtExpirySeconds,
})

Requirements