Insecurely generated token - JWT
Description
The token used to consume the user creation service in the application is not generated securely, because the key that signs the token is weak and was easily found as indicated in the finding of weak credentials. For this reason, an attacker can modify token parameters such as the expiration date to consume the service, and perform queries in the application.
Impact
Use the user creation service within the application with a token signed by an attacker in a legitimate way.
Recommendation
Use strong passwords for signing and verification of the user creation token.
Threat
Anonymous attacker from the Internet.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
228 - Authenticate using standard protocolsScore
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
N
User interaction
N
Confidentiality (VC)
N
Integrity (VI)
L
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
X
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N