jwt-securitytoken-no-expiration.jwt-securitytoken-no-expiration
returntocorpAuthor
unknown
Download Count*
License
JWT Security Token must be considered invalid if it does not have an expiration time. A JWT Security Token can be compromised, and an attacker can exploit a non-expiring token with unlimited time.
Run Locally
Run in CI
Defintion
rules:
- id: jwt-securitytoken-no-expiration
patterns:
- pattern: RequireExpirationTime = false
- pattern-inside: new TokenValidationParameters {...}
fix: RequireExpirationTime = true
message: JWT Security Token must be considered invalid if it does not have an
expiration time. A JWT Security Token can be compromised, and an attacker
can exploit a non-expiring token with unlimited time.
metadata:
category: security
technology:
- csharp
owasp:
- A07:2021 – Identification and Authentication Failures
cwe: "CWE-613: Insufficient Session Expiration"
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
- https://cwe.mitre.org/data/definitions/613.html
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- csharp
severity: ERROR
Examples
jwt-securitytoken-no-expiration.cs
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
// ruleid: jwt-securitytoken-no-expiration
RequireExpirationTime = false,
RequireSignedTokens = true,
ValidateIssuer = false,
ValidateAudience = false
};
});
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
// ok: jwt-securitytoken-no-expiration
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = false,
ValidateAudience = false
};
});Short Link: https://sg.run/WGNj