SYM_PY_0003 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The code is using a hardcoded string as the secret or private key for JWT token generation. Storing secrets directly in code makes them easy to discover and exposes them to anyone with access to the codebase.
Impact
If an attacker obtains the hardcoded JWT secret, they can forge or modify tokens, impersonate users, and potentially gain unauthorized access to protected resources or sensitive data. This compromises application security and user accounts.