Missing signature verification of JWT

• Rule ID: python_lang_jwt_verification_bypass
• Languages: python
• Source: jwt_verification_bypass.yml

Description

Failing to verify the signature of JSON Web Tokens (JWTs) compromises the security of an application. Signature verification is crucial for confirming the authenticity and integrity of JWTs. Without this verification, your application is open to token forgery and replay attacks, where attackers can manipulate or reuse tokens to gain unauthorized access.

Remediations

• Do not disable verification of the token's signature, because this leaves a significant security gap.

  jwt.decode(token, options={"verify_signature": False}) # unsafe

Associated CWE

• CWE-347: Improper Verification of Cryptographic Signature

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_jwt_verification_bypass

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_jwt_verification_bypass