Skip to content

JWT Signature check

Description

We sent a token with an invalid signature and it was accepted by the server.

Remediation

You must validate the token signature before thrusting the token content.

GraphQL Specific

Apollo Ensure that the Apollo server implementation properly validates JWT signatures by using a robust library like `jsonwebtoken` with a secure, secret key or public/private key pair. Always verify the signature before trusting the payload of the token.
Yoga Ensure that the Yoga framework engine is configured to validate JWT signatures properly. Use a secure library for JWT processing and make sure that it checks the signature against the expected algorithm and secret or public key. Do not allow the algorithm to be specified in the header of the JWT. Keep your signing keys secure and rotate them periodically.
Awsappsync Ensure that the JWT signature is verified against a strong, trusted public key or secret. In AWS AppSync, configure the resolvers to use AWS Lambda functions or Amazon Cognito User Pools, which automatically handle the JWT signature verification. Avoid using simple token validation that only decodes the token without signature verification. Implement proper error handling to reject requests with invalid or expired JWTs.
Graphqlgo Ensure that the JWT (JSON Web Token) signature is verified for each request to prevent unauthorized access. Implement a middleware in the GraphQL Go framework that checks the signature against the secret or public key before processing any query or mutation. This will help in mitigating risks associated with token tampering and replay attacks. Use a well-maintained library that conforms to the JWT specification (RFC 7519) for signature verification and token handling.
Graphqlruby Ensure that JWT tokens are validated properly by checking the signature with a secure algorithm. Use a well-maintained library for JWT handling that supports the necessary validation features. Configure the GraphQL Ruby framework to require signature verification for all JWTs, and reject any tokens with invalid signatures. Regularly update the library to incorporate security fixes and improvements.
Hasura Ensure that the Hasura engine is configured to validate JWT signatures with the correct algorithm and secret or public key. Update the 'HASURA_GRAPHQL_JWT_SECRET' environment variable with the appropriate JSON object containing the 'type', 'key', or 'jwk_url', depending on your setup. Regularly rotate secrets and use strong, asymmetric keys for production environments.
Agoo Implement strict JWT signature verification to ensure that tokens with invalid signatures are rejected by the server.
Ariadne Implement strict JWT signature verification in the Ariadne framework to ensure that only tokens with valid signatures are accepted by the server.
Caliban Implement strict JWT signature validation to ensure tokens with invalid signatures are rejected by the server.
Dgraph Implement strict JWT signature validation to ensure tokens are verified before granting access.
Dianajl Implement strict JWT signature validation in the Dianajl framework engine to ensure that only tokens with valid signatures are accepted by the server.
Directus Implement strict JWT signature verification in the Directus framework to ensure that tokens with invalid signatures are rejected by the server.
Flutter Implement proper JWT signature verification in the Flutter framework to ensure that tokens with invalid signatures are rejected by the server.
Graphene Implement proper JWT signature verification to ensure that tokens with invalid signatures are rejected by the server.
Graphqlapiforwp Implement strict JWT signature validation to ensure that only tokens with a valid signature are accepted by the server.
Graphqlgophergo Implement strict JWT signature validation in the GraphQLGopherGo framework to ensure that only tokens with valid signatures are accepted by the server.
Graphqljava Ensure JWT signature validation is properly implemented and enforced in the GraphQL Java framework to prevent acceptance of tokens with invalid signatures.
Graphqlphp Ensure JWT tokens are verified using a robust library that checks the signature against a trusted public key before processing any requests.
Graphqlyoga Implement strict JWT signature verification in the GraphQL Yoga server to ensure that only tokens with valid signatures are accepted.
Hypergraphql Implement strict JWT signature validation to ensure tokens with invalid signatures are rejected by the server.
Jaal Implement strict JWT signature validation to ensure that only tokens with valid signatures are accepted by the server.
Juniper Implement strict JWT signature validation to ensure tokens with invalid signatures are rejected by the server.
Lacinia Implement strict JWT signature validation in the Lacinia framework to ensure that only tokens with valid signatures are accepted by the server.
Lighthouse Implement strict JWT signature validation to ensure that only tokens with a valid signature are accepted by the server.
Mercurius Ensure JWT signature verification is properly implemented in the Mercurius framework to reject tokens with invalid signatures.
Morpheusgraphql Implement strict JWT signature validation in the Morpheus GraphQL framework to ensure that only tokens with valid signatures are accepted by the server.
Qglgen Implement strict JWT signature validation in the gqlgen framework to ensure that tokens with invalid signatures are rejected by the server.
Sangria Ensure proper validation of JWT signatures by configuring the Sangria framework to verify tokens using a trusted public key or secret before processing any requests.
Shopify Implement strict JWT signature validation to ensure that only tokens with a valid signature are accepted by the server.
Stepzen Implement strict JWT signature validation to ensure that only tokens with valid signatures are accepted by the server.
Strawberry Implement strict JWT signature validation in the Strawberry framework engine to ensure that only tokens with valid signatures are accepted by the server.
Tartiflette Ensure JWT signature verification is properly implemented in the Tartiflette engine to reject tokens with invalid signatures.
Wpgraphql Implement strict JWT signature validation to ensure that tokens with invalid signatures are rejected by the server in the WPGraphQL framework.

REST Specific

Asp_net Ensure that the ASP.NET application validates JWT signatures using a secure library. Configure the JWT middleware to use a strong algorithm like RS256 and verify the signature against a trusted public key or secret. Reject any tokens with invalid signatures immediately.
Ruby_on_rails Ensure that the JWT library in use is configured to validate the signature of the token against a known and trusted secret or public key. In Ruby on Rails, use a well-maintained JWT gem like 'jwt' and explicitly verify the signature in the authentication process. Avoid using 'none' as an algorithm, and do not trust user input for the key or algorithm used for verification.
Next_js Ensure that the JWT library used in the Next.js application is configured to validate the signature of the token against a strong, private key that is securely managed. Implement proper error handling to reject any tokens with invalid signatures, and regularly rotate the signing key as a security best practice.
Laravel Ensure that the JWT library in Laravel is configured to validate the signature of the token against a secure server-side secret or private key. Use the built-in Laravel authentication guards or a reputable JWT package that adheres to the latest security standards for token verification. Regularly update the JWT library to incorporate security fixes and improvements.
Express_js Ensure that the Express.js application properly validates JWT signatures by using a robust library like jsonwebtoken. Configure it to verify the signature with the correct secret or public key, and reject any tokens with invalid signatures before processing any requests.
Django Ensure that the Django application is configured to validate JWT signatures using a secure algorithm like HS256, RS256, or ES256. Use a reputable JWT library that provides signature verification and configure it to reject tokens with invalid signatures. Regularly update the library to incorporate security fixes and improvements.
Symfony Ensure that the JWT library in Symfony is configured to validate the signature of the token against a secure server-side secret or private key. Reject any tokens with invalid signatures immediately.
Spring_boot Ensure that the Spring Boot application is configured to validate JWT signatures correctly. Use a reliable JWT library, such as `java-jwt` or `spring-security-oauth2`, and configure it to verify the signature with the appropriate public key or secret. Do not allow tokens with none algorithm, and ensure that the algorithm specified in the JWT header is expected and supported by your application. Regularly rotate keys and secrets, and handle exceptions properly to prevent unauthorized access.
Flask Ensure that the Flask application is configured to validate JWT signatures properly. Use a reputable library like PyJWT and set it to verify the signature with the appropriate secret or public key. Do not allow the 'none' algorithm, and ensure that the algorithm used to verify the token matches the one used to sign it. Regularly rotate your secret keys and handle exceptions to reject any tokens with invalid signatures.
Nuxt Ensure that the server properly validates JWT signatures by using a secure library and rejecting tokens with invalid signatures. In Nuxt.js, use the `jsonwebtoken` or a similar trusted library to verify the token's signature before accepting it for authentication or authorization purposes.
Fastapi Ensure that the FastAPI application is configured to validate JWT signatures against a strong, secret key or public key. Use a reputable JWT library and do not disable signature checks. Regularly rotate keys and audit the security of the token generation and validation process.
Frappe Implement strict JWT signature validation to ensure tokens are verified against a trusted secret or public key before granting access.
Genzio Implement strict JWT signature validation in the Genzio framework engine to ensure that only tokens with valid signatures are accepted by the server.
Gin Ensure JWT tokens are verified using a secure and appropriate signing method, such as HMAC or RSA, and validate the token's signature before processing any associated requests in the Gin framework.
Gorilla Implement strict JWT signature validation to ensure tokens with invalid signatures are rejected by the server.
Hapi Ensure JWT tokens are verified using the 'hapi-auth-jwt2' plugin to validate the signature before processing requests.
Hono Implement strict JWT signature validation to ensure that only tokens with a valid signature are accepted by the server.
Jersey Implement JWT signature verification in the Jersey framework to ensure that tokens are properly validated before granting access.
Koa Implement middleware in the Koa framework to verify JWT signatures using a trusted library like jsonwebtoken, ensuring that tokens with invalid signatures are rejected.
Ktor Implement JWT signature verification in the Ktor framework to ensure that tokens are properly validated before granting access.
Leptos Implement strict JWT signature validation to ensure tokens with invalid signatures are rejected by the server.
Macaron Ensure JWT tokens are verified using a secure and correct secret key in the Macaron framework to prevent acceptance of tokens with invalid signatures.
Phoenix Ensure JWT tokens are verified using a robust library like 'jose' to validate signatures before processing.
Redwoodjs Implement proper JWT signature verification using a trusted library to ensure that tokens with invalid signatures are rejected by the server.
Rocket Implement strict JWT signature validation to ensure that tokens with invalid signatures are rejected by the server.
Sveltekit Implement JWT signature verification in SvelteKit by using a trusted library like 'jsonwebtoken' to ensure tokens are properly validated before granting access.

Configuration

Identifier: injection/jwt_sign_check

Examples

Ignore this check

checks:
  injection/jwt_sign_check:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API2:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-63B
  • fedramp: SI-7

Classification

  • CWE: 347

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • CVSS_SCORE: 9.3

References