JWT01 Insecure JWT Handling

What this means

SiteShadow flagged JWT usage that may accept forged or unsafe tokens (examples: decoding without verifying a signature, weak/incorrect algorithms, or missing claim validation like iss, aud, and expiry).

Why it matters

Account takeover: forged tokens can impersonate users.
Privilege escalation: attackers can mint tokens with elevated roles/claims.
Long-lived compromise: overly long expirations or missing revocation creates durable access.

Safer examples

1) Always verify signature + algorithm + key

Use a well-maintained JWT library and verify by default. Avoid "none" and algorithm confusion.

2) Validate claims (issuer, audience, expiry)

// Pseudocode: exact API depends on library
verifyJwt(token, {
  issuer: "https://auth.example.com",
  audience: "siteshadow-api",
  clockToleranceSeconds: 60,
});

3) Keep tokens short-lived and rotate keys

Short access token TTLs; use refresh tokens with rotation.
Use key IDs (kid) safely (don't fetch keys from attacker-controlled URLs).

How SiteShadow detects it (high level)

Looks for JWT decode/verify APIs and flags patterns that disable verification or skip claim checks.
Flags risky configurations (e.g., accepting multiple algorithms without pinning, ignoring exp/aud/iss).

References

OWASP JWT Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

---

← Back to Vulnerability Library

Request access View coverage