hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Copyedit documentation

Browse Source
This commit is contained in:
Chris Smowton
2024-07-30 12:19:16 +01:00
committed by GitHub
parent 96c142bf0a
commit a781522ca0
1 changed files with 4 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
View File

@@ -2,24 +2,21 @@
<qhelp>
<overview>
<p>
A JSON Web Token (JWT) is used for authenticating and managing users in an application.
</p>
<p>
Only Decoding JWTs without checking if they have a valid signature or not can lead to security vulnerabilities.
A JSON Web Token (JWT) is used for authenticating and managing users in an application. It must be verified in order to ensure the JWT is genuine.
</p>
</overview>
<recommendation>
<p>
Don't use methods that only decode JWT, Instead use methods that verify the signature of JWT.
Don't use information from a JWT without verifying that JWT.
</p>
</recommendation>
<example>
<p>
The following code you can see an Example from a popular Library.
The following example illustrates secure and insecure use of the Auth0 `java-jwt` library.
</p>
<sample src="Example.java" />
@@ -31,4 +28,4 @@
</li>
</references>
</qhelp>
</qhelp>