Typescript Allow Invalid Key Types
Description
Detects insecure configurations in JWT token validation where invalid or weak key types are allowed. This vulnerability could allow attackers to forge tokens or bypass signature verification, potentially leading to authentication bypass or privilege escalation.
Detection Strategy
• Identifies JWT library usage in the code with configuration options
• Checks for JWT verification or signing operations where key type restrictions are disabled or misconfigured
• Reports vulnerabilities when JWT operations allow non-standard or insecure key types
• Examines configuration parameters passed to JWT library functions for potential insecure settings
Vulnerable code example
const jwt = require('jsonwebtoken');
const crypto = require('crypto');
// Generate mismatched key types (DSA for RS256 algorithm)
const { privateKey: dsaKey } = crypto.generateKeyPairSync('dsa', {
modulusLength: 2048
});
...✅ Secure code example
const jwt = require('jsonwebtoken');
const crypto = require('crypto');
// Generate RSA key pair which matches RS256 algorithm requirements
const { privateKey } = crypto.generateKeyPairSync('rsa', { // Use RSA for RS256 algorithm
modulusLength: 2048
});
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.