Summary #

Invicti detected that the application is using a trivial secret to sign JWT.

Impact #

An attacker by brute forcing JWT signature can forge malicious token with the values inside the JWT token payload to escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution.

Remediation #

It is mandatory to use a strong secret to sign JWT to avoid this vulnerability.

Classifications #
CWE-347; OWASP 2017-A2 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo