Weak Secret is Used to Sign JWT

Severity: High

Invicti detected that the application is using a trivial secret to sign JWT.


An attacker by brute forcing JWT signature can forge malicious token with the values inside the JWT token payload to escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution.


It is mandatory to use a strong secret to sign JWT to avoid this vulnerability.

Invicti Logo

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo