Kotlin Hardcoded Signing Secret
Description
Detects hardcoded signing secrets used in JWT token operations in Kotlin code. This creates security risks since hardcoded secrets in source code can be exposed through code leaks or reverse engineering, potentially allowing attackers to forge valid JWT tokens. The detector specifically looks for HMAC signing operations with static keys.
Detection Strategy
• Identifies calls to JWT HMAC signing methods from Auth0 and FusionAuth libraries (HMAC256/384/512)
• Checks if the first argument (signing key) passed to these methods is a hardcoded string or byte array constant
• Reports a vulnerability when a JWT signing operation uses a hardcoded secret key instead of an environment variable or secure configuration
Vulnerable code example
import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm
// VULNERABLE: Hardcoded secret used for JWT signing
val secret = "hardcoded_str"
val algorithm = Algorithm.HMAC256(secret)
val unsafeToken = JWT.create()...✅ Secure code example
import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm
// Get secret from environment variable instead of hardcoding
val secret = System.getenv("JWT_SIGN_SECRET")
?: throw IllegalStateException("JWT signing secret not configured") // Fail fast if secret is missing
val algorithm = Algorithm.HMAC256(secret)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.