From 43bf8a623f196d4cff00ab25ec54f257b055707d Mon Sep 17 00:00:00 2001
From: orenakto <oren+1@akto.io>
Date: Mon, 1 Sep 2025 17:17:56 +0530
Subject: [PATCH] added jwt hs256 test and remediation steps

---
 .../JWTSigningAlgHS256.yml                    | 41 +++++++++++++++++++
 remediation/JWT_SIGNING_ALG_HS256.md          | 28 +++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 Broken-User-Authentication/JWTSigningAlgHS256.yml
 create mode 100644 remediation/JWT_SIGNING_ALG_HS256.md

diff --git a/Broken-User-Authentication/JWTSigningAlgHS256.yml b/Broken-User-Authentication/JWTSigningAlgHS256.yml
new file mode 100644
index 00000000..1f27bb27
--- /dev/null
+++ b/Broken-User-Authentication/JWTSigningAlgHS256.yml
@@ -0,0 +1,41 @@
+id: JWT_SIGNING_ALG_HS256
+info:
+  name: JWT signed using HS256 algorithm
+  description: "The JSON Web Token (JWT) is signed using the HS256 algorithm. This symmetric algorithm is vulnerable to brute-force attacks if the secret key lacks sufficient complexity, allowing attackers to forge tokens."
+  details: |
+    "The application uses the HS256 (HMAC using SHA-256) algorithm to sign JWTs. This is a symmetric algorithm, meaning the same secret key is used to both create and validate the token's signature. This setup is vulnerable because the secret key can potentially be reverse-engineered using brute-force methods, especially if it is not long or complex enough. Unlike asymmetric algorithms like RS256, which use a private/public key pair, HS256 relies on a single shared secret. If an attacker discovers this secret through brute-forcing or other means, they can forge valid tokens at will. This completely undermines the integrity of the authentication process."
+  impact: |
+    "If an attacker successfully cracks the HS256 secret key, they can forge valid JWTs with any payload they choose. This could lead to a full account takeover by allowing them to impersonate other users, including administrators. For example, an attacker could escalate their privileges and gain unauthorized access to sensitive data and functions."
+  category:
+    name: NO_AUTH
+    shortName: Broken User Authentication
+    displayName: Broken User Authentication (BUA)
+  subCategory: JWT_SIGNING_ALG_HS256
+  severity: MEDIUM
+  tags:
+  - Business logic
+  - OWASP top 10
+  - HackerOne top 10
+  references:
+  - https://portswigger.net/web-security/jwt#brute-forcing-secret-keys
+  - https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
+attributes:
+  nature: NON_INTRUSIVE
+  plan: FREE
+  duration: FAST
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  request_headers:
+    for_one:
+      value:
+        jwt_signing_alg: HS256
+execute:
+  type: passive
+  requests:
+  - req: []
+validate:
+  response_code:
+    gte: 200
+    lt: 300
diff --git a/remediation/JWT_SIGNING_ALG_HS256.md b/remediation/JWT_SIGNING_ALG_HS256.md
new file mode 100644
index 00000000..876a76f8
--- /dev/null
+++ b/remediation/JWT_SIGNING_ALG_HS256.md
@@ -0,0 +1,28 @@
+
+
+## Remediation Steps for JWT signed using HS256 algorithm Vulnerability
+The JWT HS256 algorithm vulnerability arises because HS256 is a symmetric algorithm, meaning it uses the same secret key to both sign and verify a token. If this secret key is weak or exposed, an attacker can brute-force it to forge valid tokens and gain unauthorized access.
+### Step 1: Use Strong Asymmetric Algorithms
+The most effective remediation is to switch from a symmetric algorithm (like HS256) to an asymmetric algorithm (like RS256 or ES256). Asymmetric algorithms use a private key to sign the token and a separate public key to verify it. Since the private key never leaves the server, it cannot be intercepted and used by an attacker to forge tokens.
+```javascript
+// BAD: Using a shared secret with a symmetric algorithm
+const token = jwt.sign(payload, 'my-weak-secret', { algorithm: 'HS256' });
+
+// GOOD: Using a private key to sign with an asymmetric algorithm
+const privateKey = fs.readFileSync('path/to/private.key');
+const token = jwt.sign(payload, privateKey, { algorithm: 'RS256' });
+```
+In the good example, a private key is used for signing. Only the corresponding public key, which can be shared safely, is needed for verification.
+### Step 2: Enforce a Strong, High-Entropy Secret Key
+If you must continue using HS256, it is critical to use a secret key that is long, random, and has high entropy to make brute-force attacks impractical.
+* DO NOT use common words, simple phrases, or predictable patterns.
+* DO use a cryptographically secure random string with a recommended length of at least 32 characters (256 bits).
+```javascript
+// BAD: Weak, guessable secret
+const weakSecret = 'password123';
+
+// GOOD: Strong, randomly generated secret
+const strongSecret = 'D8A6F7B4E29C1D05G3H6I9J2K5L8M1N4P7Q0R3S6T9U2';
+```
+### Step 3: Implement Key Rotation
+Regularly rotating your secret keys (or private keys) is a crucial security practice. Key rotation limits the time an attacker has to exploit a compromised key. If a key is leaked, it will only be valid until the next rotation cycle, minimizing the potential damage.
\ No newline at end of file