Usage of weak encryption algorithm in JWT

• Rule ID: python_lang_jwt_weak_encryption
• Languages: python
• Source: jwt_weak_encryption.yml

Description

Implementing weak encryption algorithms in JWT (JSON Web Tokens) compromises the security of the tokens. This vulnerability occurs when an encryption algorithm that does not offer sufficient security strength is used, making the tokens susceptible to attacks.

Remediations

• Do use robust encryption algorithms recommended for JWT. HS256 (HMAC with SHA-256) is a secure choice for signing JWTs.

  jwt.encode(payload, secret, algorithm="HS256")

References

• OWASP weak encryption

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_jwt_weak_encryption

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_jwt_weak_encryption