Java Insecure Signature Algorithm
Description
Identifies the use of potentially insecure signature algorithms in Java applications through the signWith method. Insecure signature algorithms can compromise the integrity and authenticity of digital signatures, potentially allowing attackers to forge signatures or break the cryptographic security.
Detection Strategy
• Check for calls to the 'signWith' method in Java code
• Look for string literal arguments passed directly to the signWith method
• Report a vulnerability when signWith is called with hardcoded algorithm parameters
Vulnerable code example
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
public class JwtExample {
public String createToken() {
// Vulnerable: Hardcoded JWT secret key in code
String secretKey = "MyHardcodedSecret123";
...✅ Secure code example
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import java.util.Date;
public class JwtExample {
public String createToken() {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.