C Sharp Jwt Signed Without Verification
Description
Detects potentially insecure JWT token creation in C# code where proper signature verification is missing. This vulnerability could allow attackers to forge or tamper with JWT tokens if they're not properly verified, leading to authentication bypass or privilege escalation.
Detection Strategy
• Identifies usage of JwtBuilder class in C# code
• Checks if the JWT token creation is missing signature verification by examining the code flow
• Reports a vulnerability when JwtBuilder is used without proper signature validation methods
• Specifically looks for JWT token creation patterns that don't include verification steps in the builder chain
Vulnerable code example
using System;
class JwtExample {
public static void Main() {
string secret = "mySecret";
string token = "someToken";
// Vulnerable: Decoding JWT without signature verification...✅ Secure code example
using System;
class JwtExample {
public static void Main() {
string secret = "mySecret";
string token = "someToken";
// Secure: JWT decoding with mandatory signature verification...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.