Expected Findings
- HS256 secret is a 6-character dictionary word.
- Same secret is shared across staging and production.
- No key rotation; tokens are valid for 90 days.
JWT Signer
Weak JWT Secret
The token signer uses HS256 with the literal string `secret` (a default kept from a tutorial), so any caller can forge tokens after a single dictionary check.
CWE-321CWE-798
Signer probe
Primary Flows
- Issue token Sample HS256 token
- Signer config Algorithm and secret hint
- Common secrets attempt Confirms 'secret' verifies
Signals
Config
JWT_ALG = "HS256" JWT_SECRET = "secret" // TODO: replace before launch