Fluid Attacks Database

Description

Detects hardcoded JWT tokens and credentials exposed directly in Python source code. This represents a security risk since embedded credentials can be extracted from the code and potentially misused by attackers to gain unauthorized access.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

• Scans Python source code files for string literals and variable assignments

• Identifies patterns that match JWT tokens and credential values (e.g., 'secret', 'password', 'token', etc.)

• Reports a vulnerability when credentials or JWT tokens are found hardcoded in the code rather than loaded from secure configuration

• Common risky patterns include: hardcoded API keys, database passwords, JWT signing keys, and authentication tokens

Vulnerable code example

import jwt

# VULNERABLE: Using weak/predictable key for JWT verification
public_key = "test_key"
token = jwt.decode(incoming_token, public_key, algorithms=["RS256"])
print(token)

✅ Secure code example

import os
import jwt

try:
    # Load key and token securely from environment, not hardcoded
    public_key = os.environ['JWT_PUBLIC_KEY']  # Store PEM-encoded RSA public key securely
    incoming_token = os.environ['JWT_TOKEN']
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.