Python Jwt Decode Without Verification
Description
Detects when JWT tokens are decoded without verifying their cryptographic signatures. This is a critical security vulnerability as it allows attackers to tamper with token contents since the authenticity of the token is not verified during decoding.
Detection Strategy
• Checks if JWT libraries (jwt or jose) are imported in the code
• Identifies JWT decode operations from either the jwt/jose libraries or their class instances
• Looks for decode() calls where the 'verify_signature' option is explicitly set to False
• Reports a vulnerability when JWT token decoding occurs with signature verification disabled
Vulnerable code example
import jwt
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
key = "secret"
# Vulnerable: Explicitly disables JWT signature verification
payload = jwt.decode(token, key, options={"verify_signature": False})✅ Secure code example
import jwt
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
key = "secret"
# Safe: Enabling signature verification with specified algorithm
payload = jwt.decode(token, key, algorithms=["HS256"]) # Enforces signature verificationSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.