Ruby Hardcoded Key For Token
Description
This detector identifies hardcoded cryptographic keys used in JWT token generation in Ruby applications. When JWT tokens are signed with hardcoded keys embedded directly in source code, attackers who gain access to the code can forge valid tokens, completely bypassing authentication and authorization mechanisms.
Detection Strategy
• The JWT library must be imported in the Ruby code
• A JWT encode function call must be present (typically JWT.encode)
• The second argument to the JWT encode function (the signing key) must be a hardcoded value
• The hardcoded key is detected as a string literal, constant, or other statically defined value rather than being retrieved from secure storage or environment variables
Vulnerable code example
require 'jwt'
payload = {
data: 'test',
exp: Time.now.to_i + 60 * 60,
nbf: Time.now.to_i
}
...✅ Secure code example
require 'jwt'
payload = {
data: 'test',
exp: Time.now.to_i + 60 * 60,
nbf: Time.now.to_i
}
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.