Java Jwt Unsigned Token
Description
Detects when JSON Web Tokens (JWTs) are created without proper signature verification in Java applications. This vulnerability allows attackers to forge or tamper with tokens since there is no cryptographic signature to validate token authenticity, potentially leading to authentication bypass or privilege escalation.
Detection Strategy
• Identifies calls to the compact() method on JWT builder instances
• Verifies if the JWT builder was configured without proper signature settings
• Reports a vulnerability when JWT tokens are created without signature verification
• Checks the configuration of JWT builder instances before token creation
• Looks for missing signing key or algorithm configurations in JWT creation
Vulnerable code example
import io.jsonwebtoken.Jwts;
public class JwtExample {
public String createUnsafeToken(String username) {
// VULNERABLE: Creates unsigned JWT token that can be easily forged
return Jwts.builder()
.setSubject(username)
.compact();...✅ Secure code example
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import javax.crypto.SecretKey;
import io.jsonwebtoken.security.Keys;
public class JwtExample {
private final SecretKey secretKey;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.