Comments (3)
First of all, any hardcoded(predictable/constant) cryptographic key (private key or symmetric key for signing or encryption) is not secure, it can be see CWE-321, NIST Special Publication 800-57 and other public publications.
Second, I observed that lamp-core-3.7.0, lamp-util-3.7.0 are two separate librares, in which the key you use to generate or verify the JWT signature is hardcoded, All JWTs generated by applications or web programs that use these two packages can be forged.
JWT is widely used in permission granting or identity authentication, and the integrity of the JWT is guaranteed by the signature algorithm. If the signature key is obtained by others, the attacker can arbitrarily forge the JWT to obtain the corresponding permission or log in as any user.
from lilishop.
First of all, any hardcoded(predictable/constant) cryptographic key (private key or symmetric key for signing or encryption) is not secure, it can be see CWE-321, NIST Special Publication 800-57 and other public publications. Second, I observed that lamp-core-3.7.0, lamp-util-3.7.0 are two separate librares, in which the key you use to generate or verify the JWT signature is hardcoded, All JWTs generated by applications or web programs that use these two packages can be forged. JWT is widely used in permission granting or identity authentication, and the integrity of the JWT is guaranteed by the signature algorithm. If the signature key is obtained by others, the attacker can arbitrarily forge the JWT to obtain the corresponding permission or log in as any user.
Thank you for your feedback.
In the current system, JWT is just the cached key, not a direct string for permission verification. The decrypted information is also public information, so there will be no relevant security problems. If the attacker needs to invade the current system, he needs to invade redis first.
from lilishop.
This is only a security enhancement suggestion, because our detector only detects the implementation security of JWT. Using a hard-coded secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended that you use a more secure way to store the secret used to generate the JWT.
from lilishop.
Related Issues (10)
- 发布后,浏览刷新某个页面404 HOT 1
- 虚拟订单如何操作发货 HOT 1
- test
- 1
- 平台端缺少对店铺菜单的维护 HOT 2
- li_member会员手机号码必须唯一
- 微信扫一扫,微信公众号,微信小程序,没有做联合登录 HOT 1
- 支付宝小程序支持么 HOT 1
- 接口文档能否先给出来哇 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lilishop.