Title: [Java] CWE-326: Query to detect weak HMAC secret keys used to sign JWT · Issue #380 · github/securitylab · GitHub
Open Graph Title: [Java] CWE-326: Query to detect weak HMAC secret keys used to sign JWT · Issue #380 · github/securitylab
X Title: [Java] CWE-326: Query to detect weak HMAC secret keys used to sign JWT · Issue #380 · github/securitylab
Description: Query Link to pull request with your CodeQL query: Relevant PR: github/codeql#6021 CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe t...
Open Graph Description: Query Link to pull request with your CodeQL query: Relevant PR: github/codeql#6021 CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the Git...
X Description: Query Link to pull request with your CodeQL query: Relevant PR: github/codeql#6021 CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the Git...
Opengraph URL: https://github.com/github/securitylab/issues/380
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Java] CWE-326: Query to detect weak HMAC secret keys used to sign JWT","articleBody":"## Query\r\n\r\n*Link to pull request with your CodeQL query:*\r\n\r\nRelevant PR: https://github.com/github/codeql/pull/6021\r\n\r\n## CVE ID(s)\r\n\r\n*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*\r\n\r\n\r\n## Report\r\n\r\n*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.*\r\n\r\nJSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted through a digital signature. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.\r\n\r\nJWT Best Practices require human-memorizable passwords MUST NOT be directly used as the key to a keyed-MAC algorithm such as “HS256”. RFC 7518 recommends to use a password that is as large as (or larger than) the derived key length in JSON web algorithms. Common JWT signature algorithms are HS256, HS384, and HS512.\r\n\r\nPopular JWT libraries offer a method to set signing key with a handy string argument in addition to the method with a byte array argument taking the binary cryptographic key. It is a common mistake that JWT users are confused by the method signature and attempted to use raw password strings as the key argument, which is almost always incorrect for cryptographic hashes and can produce insecure results.\r\n\r\nSignature algorithms are vulnerable to brute force attack when a weak key of shorter length is used. This query detect uses of signature algorithms with a weak key of shorter length in two popular JWT frameworks jjwt and jose4j:\r\n\r\n\r\n- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*\r\n\r\n## Result(s)\r\n\r\n*Provide at least one useful result found by your query, on some revision of a real project.*\r\n\r\n- [sports-mall-server](https://github.com/itning/sports-mall-server)\r\n- [TLOG16RS](https://github.com/kovacskornel/TLOG16RS)","author":{"url":"https://github.com/luchua-bc","@type":"Person","name":"luchua-bc"},"datePublished":"2021-06-05T20:07:42.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":5},"url":"https://github.com/380/securitylab/issues/380"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:f4a44478-3f67-760f-021b-341555bf9230 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C632:13B1D:105B72B:16B60AC:6A4CA2DA |
| html-safe-nonce | 2bea0b9fabe45730355f1440b841259fd1037713e24d3a6f64ca015f2f1e0d99 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNjMyOjEzQjFEOjEwNUI3MkI6MTZCNjBBQzo2QTRDQTJEQSIsInZpc2l0b3JfaWQiOiI1NjY2MjczMjUyMTQzMzA5NTMwIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | c6eced22f243fd1af06ab1f98e4d7be187f53e727e9c64f84d8dd4d5182b97c9 |
| hovercard-subject-tag | issue:912422203 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/380/issue_layout |
| twitter:image | https://opengraph.githubassets.com/e70fd4605b98cc96b10eea200fb7d8ebe880b329e73d46213d9d371202ebea3f/github/securitylab/issues/380 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/e70fd4605b98cc96b10eea200fb7d8ebe880b329e73d46213d9d371202ebea3f/github/securitylab/issues/380 |
| og:image:alt | Query Link to pull request with your CodeQL query: Relevant PR: github/codeql#6021 CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the Git... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | luchua-bc |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | ae90d426644ca15e89bacceb72e51f4e9dbf85f7 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width