SYM_RB_0001 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code uses a hardcoded secret or private key when encoding or decoding JWTs, instead of securely managing secrets. Storing sensitive keys directly in code makes them easy to discover and compromise.
Impact
If an attacker gains access to the codebase, they can extract the JWT secret and forge or tamper with tokens, potentially impersonating users or gaining unauthorized access to protected resources. This can lead to data breaches and loss of trust in the application's security.