DerScanner
Home / Vulnerability Database / Python : Unsafe JWT-token verification
Python

Python : Unsafe JWT-token verification

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA8-Insecure Deserialization
OWASP Top 10 2021
A3-InjectionA8-Software and Data Integrity Failures
PCI DSS 4.0
6.2.4
CWE
CWE-1027

Overview

The verify_signature option is used to validate the signature or the registered claim names in the JWT token. When the option is set to False, the validation is switched off. This is considered insecure because without digital signature information, it’s impossible to trust the integrity or authenticity of the claimset.

References

  1. Hacking JSON Web Tokens (JWTs) - The Startup
  2. JSON Web Token for Java - OWASP Cheat Sheet Series
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix Python : Unsafe JWT-token verification in your application?

See also

Python

Python : Debug mode on

Python

Python : Web3: Deprecated method

Python

Python : Unsafe padding