Java Hardcoded Jwt Signing Key
Description
Detects hardcoded signing keys used with Auth0 JWT tokens in Java applications. Using hardcoded JWT signing keys is a security risk as it makes the keys difficult to rotate and more likely to be exposed through source code access.
Detection Strategy
• Verify the application imports the Auth0 JWT library (com.auth0.jwt.JWT)
• Look for JWT sign() method calls in the code
• Check if the signing key parameter passed to sign() is a hardcoded value rather than being loaded from configuration
• Report a vulnerability if a hardcoded key is used for JWT signing
Vulnerable code example
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
public class JWTVulnerableExample {
private static final String HARDCODED_SECRET = "secret"; // Vulnerable: Hardcoded secret key
public static String createToken() {
Algorithm algorithm = Algorithm.HMAC256(HARDCODED_SECRET);...✅ Secure code example
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import java.util.Date;
public class JWTSecureExample {
public static String createToken() throws JWTCreationException {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.