Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5659

JWT should be signed and verified with strong cipher algorithms

    XMLWordPrintable

    Details

    • Message:
      Use only strong cipher algorithms when [signing|verifying the signature of] this JWT.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      Kotlin, PHP, TypeScript
    • Covered Languages:
      C#, Java, JavaScript, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-347
    • OWASP:
      A3

      Description

      If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.

      • Don't use none algorithm to sign or verify the validity of a token.
      • Don't use a token without verifying its signature before.

      See

        Attachments

          Issue Links

          1.
          JavaScript RSPEC-5661 Language-Specification Active Unassigned
          2.
          C# RSPEC-5662 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-5751 Language-Specification Active Unassigned
          4.
          Java RSPEC-6135 Language-Specification Active Unassigned
          5.
          Python: JWT should be signed and verified RSPEC-6144 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: