Missing signature verification of JWT

• Rule ID: java_lang_jwt_verification_bypass
• Languages: java
• Source: jwt_verification_bypass.yml

Description

Failing to verify the signature of JSON Web Tokens (JWTs) compromises the security of an application. Signature verification is crucial for confirming the authenticity and integrity of JWTs. Without this verification, your application is open to token forgery and replay attacks, where attackers can manipulate or reuse tokens to gain unauthorized access.

Remediations

• Do not use the parse() method for handling JWTs, as it does not verify the token's signature, leaving a significant security gap.

  Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); // unsafe

• Do use the parseClaimsJws() method when working with JWTs. This method ensures that the signature is verified, safeguarding against the manipulation of token data.

  Jwts.parser().setSigningKey(JWT_PASSWORD).parseClaimsJws(accessToken);

References

• JWT for Java Cheat Sheet

Associated CWE

• CWE-347: Improper Verification of Cryptographic Signature

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_jwt_verification_bypass

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_jwt_verification_bypass