Detected use of the ‘none’ algorithm in a JWT token. The ‘none’ algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the ‘none’ algorithm. Instead, use an algorithm such as ‘HS256’. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
hardcoded-jwt-secret
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). Likelihood: HIGH Confidence: HIGH CWE: - CWE-798: Use of Hard-coded Credentials
OWASP: - A07:2021 - Identification and Authentication Failures