Javascript Allow Invalid Key Types
Description
Detects insecure JWT token validation configurations in JavaScript code where unsafe key types are allowed. This can lead to authentication bypass vulnerabilities if an attacker exploits weak key validation in the JWT verification process.
Detection Strategy
• Identifies usage of the 'jsonwebtoken' library in JavaScript code
• Checks JWT verification configurations to find instances where invalid or unsafe key types are permitted
• Reports a vulnerability when JWT token validation does not properly restrict key types, potentially allowing weak keys
Vulnerable code example
const jwt = require('jsonwebtoken');
const crypto = require('crypto');
// Generate mismatched key types for demonstration
const { publicKey: dsaPublicKey, privateKey: dsaPrivateKey } =
crypto.generateKeyPairSync('dsa', { modulusLength: 2048 });
// VULNERABLE: Using DSA key with RS256 algorithm and explicitly allowing invalid key types...✅ Secure code example
const jwt = require('jsonwebtoken');
const crypto = require('crypto');
// Generate proper RSA keys for RS256 algorithm
const { publicKey, privateKey } =
crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.