Javascript Jwt Decode Without Verification

Description

Detects when JWT tokens are decoded without proper signature verification in JavaScript code. This vulnerability allows attackers to modify token contents without detection, potentially leading to authentication bypass or privilege escalation.

Weakness:

353 - Lack of data validation - Token

Category: Unexpected Injection

Detection Strategy

• Identifies calls to jwt.decode() method in JavaScript code

• Verifies if the decode operation is performed without proper signature verification checks

• Reports vulnerability when JWT tokens are decoded without verifying their cryptographic signature

Vulnerable code example

const jwt = require('jsonwebtoken');

function processToken(token) {
    // VULNERABLE: Using decode() instead of verify() skips signature validation
    const decodedToken = jwt.decode(token);
    return decodedToken;
}

✅ Secure code example

const jwt = require('jsonwebtoken');

function processToken(token) {
    const secretKey = process.env.JWT_SECRET_KEY; // Store secret in environment variable
    const allowedAlgos = ['HS256', 'PS384']; // Explicitly specify allowed algorithms
    
    try {
        // SAFE: Using verify() to validate signature and decode token...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.