5f72418577
* Add csharp to rule S6781 * Update RSPEC for .NET * Address review comments * Apply suggestions from code review * Apply suggestions from code review --------- Co-authored-by: sebastien-andrivet-sonarsource <sebastien-andrivet-sonarsource@users.noreply.github.com> Co-authored-by: sebastien-andrivet-sonarsource <sebastien.andrivet@sonarsource.com> Co-authored-by: Jamie Anderson <jamie.anderson@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com>
13 lines
676 B
Plaintext
13 lines
676 B
Plaintext
If a JWT secret key leaks to an unintended audience, it can have serious
|
|
security implications for the corresponding application. The secret key is used
|
|
to encode and decode JWTs when using a symmetric signing algorithm, and an
|
|
attacker could potentially use it to perform malicious actions.
|
|
|
|
For example, an attacker could use the secret key to create their own
|
|
authentication tokens that appear to be legitimate, allowing them to bypass
|
|
authentication and gain access to sensitive data or functionality.
|
|
|
|
In the worst-case scenario, an attacker could be able to execute arbitrary code
|
|
on the application by abusing administrative features, and take over its hosting
|
|
server.
|