Injection: JWT Signature check¶

Identifier: jwt_sign_check

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

JWT signature validation vulnerabilities occur when servers accept tokens with incorrect signatures or weak secret keys, allowing attackers to forge tokens and impersonate users or escalate privileges.

How we test: We modify JWT tokens with invalid signatures and attempt to brute-force weak secret keys, then analyze responses to detect if the server accepts tokens with incorrect signatures. We test for signature validation bypasses and verify if the server properly validates token signatures and uses strong secret keys.

Prerequisites:

The scan must observe an authenticated request that uses a JWT.
The check covers both invalid signatures and weak JWT secrets.

References:

https://www.freecodecamp.org/news/how-to-sign-and-validate-json-web-tokens/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  jwt_sign_check:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.