Go Hardcoded Symmetric Key
Description
Detects hardcoded symmetric keys used for signing JWT tokens in Go applications. Using hardcoded keys for JWT signing makes the application vulnerable to token forgery since the secret key is exposed in the source code and can be extracted by attackers.
Detection Strategy
• Look for calls to the SignedString method typically used with JWT tokens
• Check if the first argument passed to SignedString comes from a string literal or constant
• Verify the context involves JWT token operations
• Report a vulnerability when a hardcoded string is used as the signing key for JWT tokens
Vulnerable code example
package main
import (
"github.com/dgrijalva/jwt-go"
)
func createToken() string {
secretKey := []byte("your-secret-key") // Vulnerable: Hardcoded secret key in source code...✅ Secure code example
package main
import (
"fmt"
"os"
"time"
"github.com/dgrijalva/jwt-go"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.