SYM_JAVA_0016 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code uses a hardcoded secret or private key when encoding or decoding JWTs. Storing secrets directly in source code makes them easy to discover and compromises the security of your authentication tokens.
Impact
If attackers gain access to your source code, they can extract the hardcoded secret and forge or tamper with JWTs, leading to unauthorized access, privilege escalation, or data breaches. This can undermine the entire authentication and authorization system of your application.