Home / Vulnerability Database / Java : Hardcoded encryption key of JWT-token
Java
Java : Hardcoded encryption key of JWT-token
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
HIPAA
CWE/SANS Top 25 2011
CWE/SANS Top 25 2021
Overview
Hardcoded encryption key can lead to the application data being compromised.
Eliminating the security risks related to keys being specified in the source code is extremely difficult. Such keys are available at least to every developer of the application. Moreover, after the application is installed, removing the key from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have access to the source code to find out the value of the key.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.
References
- OWASP: Use of hard-coded cryptographic key
- CWE-321: Use of Hard-coded Cryptographic Key
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- Hacking JSON Web Tokens (JWTs) - The Startup
- JSON Web Token for Java - OWASP Cheat Sheet Series
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- CWE-798: Use of Hard-coded Credentials
CRITICAL
DerScanner Severity Score
Do you want to fix Java : Hardcoded encryption key of JWT-token in your application?
See also
Java
Java : Race condition
Java
Java : Text4Shell Vulnerability
Java