Using hardcoded cryptographic key when creating and verifing Json Web Token.
KANIXB opened this issue · comments
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,mogu_blog_v2) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: package com.moxi.mogublog.utils; Class: JwtUtil.class
Security issue: Using predictable/constant seed to generate cryptographic key when creating and verifing Json Web Token.
Using a hard-coded seed to generate key [(new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");] does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended that you use a more secure way to generate the key used to generate the JWT. (For the hazards of hardcoded keys, you can refer to CWE-321, NIST Special Publication 800-57).
We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.