Missing signature verification of JWT
- Rule ID: python_lang_jwt_verification_bypass
- Languages: python
- Source: jwt_verification_bypass.yml
Description
Failing to verify the signature of JSON Web Tokens (JWTs) compromises the security of an application. Signature verification is crucial for confirming the authenticity and integrity of JWTs. Without this verification, your application is open to token forgery and replay attacks, where attackers can manipulate or reuse tokens to gain unauthorized access.
Remediations
- Do not disable verification of the token's signature, because this leaves a significant security gap.
jwt.decode(token, options={"verify_signature": False}) # unsafe
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=python_lang_jwt_verification_bypass
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=python_lang_jwt_verification_bypass