Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code uses a hardcoded secret or private key when encoding or decoding JWTs. Storing secrets directly in source code makes them easy to discover and compromises the security of your authentication tokens.
Impact#
If attackers gain access to your source code, they can extract the hardcoded secret and forge or tamper with JWTs, leading to unauthorized access, privilege escalation, or data breaches. This can undermine the entire authentication and authorization system of your application.