# Improper Authentication (CWE-287) When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. **Stack:** JavaScript - Prevalence: 高 頻繁に悪用される - Impact: クリティカル 2 件の重大度クリティカルなルール - Prevention: 文書化済み 2 件の修正例 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Authentication is the process of determining if a claimed identity is correct. When authentication is insufficient or incorrect, attackers can assume the identity of legitimate users. ## Prevention 1 件の Shoulder 検出ルールに基づく Improper Authentication の予防策。 ### JavaScript Use jwt.verify() instead of jwt.decode() when assigning user identity ## Warning Signs - [CRITICAL] when jwt ## Consequences - 権限の取得 - 保護メカニズムの回避 - アプリケーションデータの読み取り ## Mitigations - 多要素認証 (MFA) を使用する - 認証には検証済みのライブラリまたはフレームワークを使用する - 適切なパスワードポリシーを実装する ## Detection - Total rules: 2 - Critical: 2 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures. - Remediation: Use jwt.verify() instead of jwt.decode() for authentication. ```javascript const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] }); req.user = decoded; ``` Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity ### Typescript (1 rules) - **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures. - Remediation: Use jwt.verify() instead of jwt.decode() for authentication. ```javascript const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] }); req.user = decoded; ``` Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity