cwe-347-jwt-signature-bypass

star 1

Use this skill when you need to remediate CWE-347 (JWT Signature Bypass) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing jwt signature bypass issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-347-jwt-signature-bypass description: Use this skill when you need to remediate CWE-347 (JWT Signature Bypass) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing jwt signature bypass issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-347
  • remediation
  • sast

CWE-347 JWT Signature Bypass

Description

JWT Signature Bypass

Reference: https://cwe.mitre.org/data/definitions/347.html

OWASP Category: A02:2021 – Cryptographic Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Decoding JWT without signature verification
DecodedJWT jwt = JWT.decode(token);  // NO SIGNATURE CHECK!
String userId = jwt.getClaim("userId").asString();

// VULNERABLE: Not checking for 'none' algorithm
Algorithm algorithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.require(algorithm).build();
// Attacker can send token with alg=none and skip verification

Why it's vulnerable: This pattern is vulnerable to JWT Signature Bypass

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Always verify JWT signature
try {
    Algorithm algorithm = Algorithm.HMAC256(secret);
    JWTVerifier verifier = JWT.require(algorithm)
        .withIssuer("your-issuer")
        .acceptLeeway(60)  // 60 seconds leeway for clock skew
        .build();

    DecodedJWT jwt = verifier.verify(token);  // Throws if invalid

    // Additional check: Reject 'none' algorithm explicitly
    if ("none".equalsIgnoreCase(jwt.getAlgorithm())) {
        throw new JWTVerificationException("Algorithm 'none' not allowed");
    }

    String userId = jwt.getClaim("userId").asString();
} catch (JWTVerificationException e) {
    throw new AuthenticationException("Invalid token", e);
}

Why it's secure: Implements proper protection against JWT Signature Bypass

Detection Pattern

Look for these patterns in your codebase:

# Find JWT.decode without verification
grep -rn "JWT.decode(" --include="*.java"

# Find JWT usage patterns
grep -rn "DecodedJWT\\|JWTVerifier" --include="*.java"

Remediation Steps

  1. Replace JWT.decode() with verifier.verify()

  2. Explicitly reject 'alg: none' tokens

  3. Validate issuer, audience, and expiration claims

  4. Use strong secret keys (256+ bits for HMAC)

Key Imports


import com.auth0.jwt.JWT;

import com.auth0.jwt.JWTVerifier;

import com.auth0.jwt.algorithms.Algorithm;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-347 vulnerability
Resolve JWT Signature Bypass issue
Secure this Java code against jwt signature bypass
SAST reports CWE-347

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-347-jwt-signature-bypass
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →