Schedulis icon indicating copy to clipboard operation
Schedulis copied to clipboard
verified publisher icon WeBankFinTech

Insecure use of (Hard-coded keys: embedding JWT secret in test) in JwtTokenTest.java

Open A-Amyan opened this issue 5 months ago • 1 comments

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in JwtTokenTest.java at line {28}, which can lead to an attack (e.g., Trivial brute-forcing or dictionary attacks on the key material). This is our result:

    "explanation": "Direct instantiation of javax.crypto.spec.SecretKeySpec is occurring here to create a key for cryptographic operations. This matches one of the monitored JCA API usages.",
    "cryptographicObjectType": "SecretKeySpec",
    "codeSnippet": "key = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());",
    "vulnerabilityType": "Insecure",
    "correction": "Do not hardcode cryptographic keys. In this instance the key is derived from the constant string \"bdp\", making it predictable and insecure. Instead, generate or retrieve keys securely at runtime using secure key management (for example, by loading the key from an environment variable, configuration file with appropriate protections, or a dedicated key management system) to ensure that the secret is not exposed in source code.",

A-Amyan avatar Jul 09 '25 11:07 A-Amyan

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in JwtTokenTest.java at line {28}, which can lead to an attack (e.g., Trivial brute-forcing or dictionary attacks on the key material). This is our result:

"explanation": "Direct instantiation of javax.crypto.spec.SecretKeySpec is occurring here to create a key for cryptographic operations. This matches one of the monitored JCA API usages.",
"cryptographicObjectType": "SecretKeySpec",
"codeSnippet": "key = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());",
"vulnerabilityType": "Insecure",
"correction": "Do not hardcode cryptographic keys. In this instance the key is derived from the constant string \"bdp\", making it predictable and insecure. Instead, generate or retrieve keys securely at runtime using secure key management (for example, by loading the key from an environment variable, configuration file with appropriate protections, or a dedicated key management system) to ensure that the secret is not exposed in source code.",

Hello, I'd like to ask where you found your database script. There's no database script here

nzhiwen666 avatar Jul 15 '25 13:07 nzhiwen666