chenzl0723
commented
1 year ago 已收到 ,谢谢
Open KANIXB opened 1 year ago
chenzl0723
commented
1 year ago 已收到 ,谢谢
VitorTao
commented
1 year ago 来信已收到,非常感谢
734311568
commented
1 year ago Thank you for your advice,I'm very glad to hear from you。
---Original--- From: @.> Date: Tue, Dec 6, 2022 14:25 PM To: @.>; Cc: @.***>; Subject: [JeffLi1993/springboot-learning-example] Using predictable/constantcryptographic key when creating and verifing Json Web Token. (Issue #143)
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,springboot-learning-example) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows: (1) Location: Package: com.dashuai.learning.jwt.utils; Class: JWTUtil.class Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token. (The key is hard-coded and not have enough strength. It is suggest the length of HMAC key is as long as the length of the output. ) I noticed that your comment mentioned the security issue of the short key, and I suggest that you also add an analysis or hint about the security issue of the hardcoded key.
Using a predictable/constant secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended to use a more secure way to store the secret used to generate the JWT and use a strong enough key to improve the security of the project. (For the hazards of predictable/constant secret, you can refer to CWE-321, NIST Special Publication 800-57).
We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,springboot-learning-example) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows: (1) Location: Package: com.dashuai.learning.jwt.utils; Class: JWTUtil.class Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token. (The key is hard-coded and not have enough strength. It is suggest the length of HMAC key is as long as the length of the output. ) I noticed that your comment mentioned the security issue of the short key, and I suggest that you also add an analysis or hint about the security issue of the hardcoded key.
Using a predictable/constant secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended to use a more secure way to store the secret used to generate the JWT and use a strong enough key to improve the security of the project. (For the hazards of predictable/constant secret, you can refer to CWE-321, NIST Special Publication 800-57).
We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.