Kotlin : Hardcoded encryption key of JWT-token
Classification
OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures A4-Insecure Design OWASP MASVS V2: 2.2.(L1/L2/L1+R/L2+R) V3: 3.1.(L1/L2/L1+R/L2+R) V8: 8.11.(L1+R/L2+R) V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography Stored Cryptography Stored Cryptography Session Management Authentication PCI DSS 4.0 3.7.3 6.5.6 6.2.4 8.3.2 HIPAA §164.312 (e)(1) CWE CWE-321 CWE-798 CWE-1032 CWE/SANS Top 25 2011 CWE-798 CWE/SANS Top 25 2021 CWE-798Overview
Hardcoded encryption key can lead to the application data being compromised.
Eliminating the security risks related to keys being specified in the source code is extremely difficult. Such keys are available at least to every developer of the application. Moreover, after the application is installed, removing the key from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have access to the source code to find out the value of the key.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.
References
- OWASP: Use of hard-coded cryptographic key
- CWE-321: Use of Hard-coded Cryptographic Key
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- Hacking JSON Web Tokens (JWTs) - The Startup
- JSON Web Token for Java - OWASP Cheat Sheet Series
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- CWE-798: Use of Hard-coded Credentials
