Missing signature verification of JWT

Description

With JSON Web Tokens (JWTs), signature verification allows us to ensure the authenticity and integrity of the token. Not verifying the siguature of JWTs is bad security practice and makes an application vulnerable to token forgery and token replay attacks.

The parse() method does not perform signature verification, and should be avoided in most cases. Instead, use the parseClaimsJets() method which does perform signature verification.

Remediations

❌ Avoid using parse() to inspect JWT payloads because this method does not verify the token's signature

✅ Prefer parseClaimsJws() because this will verify the JWT signature

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_jwt_verification_bypass

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_jwt_verification_bypass