jwt-securitytoken-no-expiration.jwt-securitytoken-no-expiration

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

JWT Security Token must be considered invalid if it does not have an expiration time. A JWT Security Token can be compromised, and an attacker can exploit a non-expiring token with unlimited time.

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-securitytoken-no-expiration
    patterns:
      - pattern: RequireExpirationTime = false
      - pattern-inside: new TokenValidationParameters {...}
    fix: RequireExpirationTime = true
    message: JWT Security Token must be considered invalid if it does not have an
      expiration time. A JWT Security Token can be compromised, and an attacker
      can exploit a non-expiring token with unlimited time.
    metadata:
      category: security
      technology:
        - csharp
      owasp:
        - A07:2021 – Identification and Authentication Failures
      cwe: "CWE-613: Insufficient Session Expiration"
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
        - https://cwe.mitre.org/data/definitions/613.html
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    severity: ERROR

Examples

jwt-securitytoken-no-expiration.cs

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // ruleid: jwt-securitytoken-no-expiration
                    RequireExpirationTime = false,
                    RequireSignedTokens = true,
                    ValidateIssuer = false,
                    ValidateAudience = false
                };
            });

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // ok: jwt-securitytoken-no-expiration
                    RequireExpirationTime = true,
                    RequireSignedTokens = true,
                    ValidateIssuer = false,
                    ValidateAudience = false
                };
            });