csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.

Run Locally

Run in CI

Defintion

rules:
  - id: unsigned-security-token
    patterns:
      - pattern: RequireSignedTokens = false
      - pattern-inside: |
          new TokenValidationParameters {
            ...
          }
    fix: RequireSignedTokens = true
    message: Accepting unsigned security tokens as valid security tokens allows an
      attacker to remove its signature and potentially forge an identity. As a
      fix, set RequireSignedTokens to be true.
    metadata:
      category: security
      technology:
        - csharp
      owasp:
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-347: Improper Verification of Cryptographic Signature"
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control/
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
        - https://cwe.mitre.org/data/definitions/347
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    severity: ERROR

Examples

unsigned-security-token.cs

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // ruleid: unsigned-security-token
                    RequireSignedTokens = false,
                    ValidateIssuer = false,
                    ValidateAudience = false
                };
            });

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // ok: unsigned-security-token
                    RequireSignedTokens = true,
                    ValidateIssuer = false,
                    ValidateAudience = false
                };
            });