JWT Signature check
Description
We sent a token with an invalid signature and it was accepted by the server.
Remediation
You must validate the token signature before thrusting the token content.
GraphQL Specific
Apollo
Ensure that the Apollo server implementation properly validates JWT signatures by using a robust library like jsonwebtoken with a secure, secret key or public/private key pair. Always verify the signature before trusting the payload of the token.
Yoga
Ensure that the Yoga framework engine is configured to validate JWT signatures properly. Use a secure library for JWT processing and make sure that it checks the signature against the expected algorithm and secret or public key. Do not allow the algorithm to be specified in the header of the JWT. Keep your signing keys secure and rotate them periodically.
Awsappsync
Ensure that the JWT signature is verified against a strong, trusted public key or secret. In AWS AppSync, configure the resolvers to use AWS Lambda functions or Amazon Cognito User Pools, which automatically handle the JWT signature verification. Avoid using simple token validation that only decodes the token without signature verification. Implement proper error handling to reject requests with invalid or expired JWTs.
Graphqlgo
Ensure that the JWT (JSON Web Token) signature is verified for each request to prevent unauthorized access. Implement a middleware in the GraphQL Go framework that checks the signature against the secret or public key before processing any query or mutation. This will help in mitigating risks associated with token tampering and replay attacks. Use a well-maintained library that conforms to the JWT specification (RFC 7519) for signature verification and token handling.
Graphqlruby
Ensure that JWT tokens are validated properly by checking the signature with a secure algorithm. Use a well-maintained library for JWT handling that supports the necessary validation features. Configure the GraphQL Ruby framework to require signature verification for all JWTs, and reject any tokens with invalid signatures. Regularly update the library to incorporate security fixes and improvements.
Hasura
Ensure that the Hasura engine is configured to validate JWT signatures with the correct algorithm and secret or public key. Update the 'HASURA_GRAPHQL_JWT_SECRET' environment variable with the appropriate JSON object containing the 'type', 'key', or 'jwk_url', depending on your setup. Regularly rotate secrets and use strong, asymmetric keys for production environments.
REST Specific
Asp_net
Ensure that the ASP.NET application validates JWT signatures using a secure library. Configure the JWT middleware to use a strong algorithm like RS256 and verify the signature against a trusted public key or secret. Reject any tokens with invalid signatures immediately.
Ruby_on_rails
Ensure that the JWT library in use is configured to validate the signature of the token against a known and trusted secret or public key. In Ruby on Rails, use a well-maintained JWT gem like 'jwt' and explicitly verify the signature in the authentication process. Avoid using 'none' as an algorithm, and do not trust user input for the key or algorithm used for verification.
Next_js
Ensure that the JWT library used in the Next.js application is configured to validate the signature of the token against a strong, private key that is securely managed. Implement proper error handling to reject any tokens with invalid signatures, and regularly rotate the signing key as a security best practice.
Laravel
Ensure that the JWT library in Laravel is configured to validate the signature of the token against a secure server-side secret or private key. Use the built-in Laravel authentication guards or a reputable JWT package that adheres to the latest security standards for token verification. Regularly update the JWT library to incorporate security fixes and improvements.
Express_js
Ensure that the Express.js application properly validates JWT signatures by using a robust library like jsonwebtoken. Configure it to verify the signature with the correct secret or public key, and reject any tokens with invalid signatures before processing any requests.
Django
Ensure that the Django application is configured to validate JWT signatures using a secure algorithm like HS256, RS256, or ES256. Use a reputable JWT library that provides signature verification and configure it to reject tokens with invalid signatures. Regularly update the library to incorporate security fixes and improvements.
Symfony
Ensure that the JWT library in Symfony is configured to validate the signature of the token against a secure server-side secret or private key. Reject any tokens with invalid signatures immediately.
Spring_boot
Ensure that the Spring Boot application is configured to validate JWT signatures correctly. Use a reliable JWT library, such as java-jwt or spring-security-oauth2, and configure it to verify the signature with the appropriate public key or secret. Do not allow tokens with none algorithm, and ensure that the algorithm specified in the JWT header is expected and supported by your application. Regularly rotate keys and secrets, and handle exceptions properly to prevent unauthorized access.
Flask
Ensure that the Flask application is configured to validate JWT signatures properly. Use a reputable library like PyJWT and set it to verify the signature with the appropriate secret or public key. Do not allow the 'none' algorithm, and ensure that the algorithm used to verify the token matches the one used to sign it. Regularly rotate your secret keys and handle exceptions to reject any tokens with invalid signatures.
Nuxt
Ensure that the server properly validates JWT signatures by using a secure library and rejecting tokens with invalid signatures. In Nuxt.js, use the jsonwebtoken or a similar trusted library to verify the token's signature before accepting it for authentication or authorization purposes.
Fastapi
Ensure that the FastAPI application is configured to validate JWT signatures against a strong, secret key or public key. Use a reputable JWT library and do not disable signature checks. Regularly rotate keys and audit the security of the token generation and validation process.
Configuration
Identifier:
injection/jwt_sign_check
Examples
Ignore this check
checks:
injection/jwt_sign_check:
skip: true
Score
- Escape Severity: HIGH
Compliance
- OWASP: API2:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-63B
- fedramp: SI-7
Classification
Score
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
- CVSS_SCORE: 9.3