C Sharp Jwt Signed Without Verification Jwt
Description
Detects unsafe JWT token validation in C# code where tokens are decoded without verifying their signatures. This allows attackers to modify token contents since the cryptographic signature is not being validated, potentially leading to authentication bypasses.
Detection Strategy
• Look for usage of JwtDecoder class in C# code
• Check if the JWT decoder is configured without signature verification settings
• Report vulnerability if JWT tokens can be processed without validating their cryptographic signatures
Vulnerable code example
using System;
class JwtExample {
public static void Main() {
IJwtDecoder decoder = new JwtDecoder();
string token = GetTokenFromRequest();
string secret = "mySecret";
...✅ Secure code example
using System;
class JwtExample {
public static void Main() {
IJwtDecoder decoder = new JwtDecoder();
string token = GetTokenFromRequest();
string secret = "mySecret"; // In production, get from secure config
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.