Fluid Attacks Database

Description

Identifies when JWT tokens are decoded without signature verification in Ruby applications. This creates a significant security risk as it allows attackers to tamper with JWT tokens since the cryptographic signature is not validated.

Weakness:

353 - Lack of data validation - Token

Category: Unexpected Injection

Detection Strategy

• Check if the 'jwt' library is imported in the Ruby code

• Look for calls to JWT.decode() method

• Verify if the third argument (verify parameter) is set to false

• Report a vulnerability when JWT token verification is explicitly disabled through the verify=false parameter

Vulnerable code example

require 'jwt'

def decode_token(token, secret)
  # Vulnerable: JWT verification disabled by setting verify=false
  decoded = JWT.decode(token, secret, false, { algorithm: 'HS256' })
  decoded[0]
end

✅ Secure code example

require 'jwt'

def decode_token(token, secret)
  # Safe: Enable JWT verification by setting verify=true to validate signature
  decoded = JWT.decode(token, secret, true, { algorithm: 'HS256' })
  decoded[0]
end

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.