Missing signature verification of JWT

Description

Failing to verify the signature of JSON Web Tokens (JWTs) compromises the security of an application. Signature verification is crucial for confirming the authenticity and integrity of JWTs. Without this verification, your application is open to token forgery and replay attacks, where attackers can manipulate or reuse tokens to gain unauthorized access.

Remediations

  • Do not disable verification of the token's signature, because this leaves a significant security gap.
    jwt.decode(token, options={"verify_signature": False}) # unsafe

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_jwt_verification_bypass

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_jwt_verification_bypass