# Use of Hard-coded Cryptographic Key (CWE-321)

The product uses a hard-coded cryptographic key to encrypt or sign sensitive data.

- Prevalence: High Frequently exploited
- Impact: Critical 1 critical-severity rules
- Prevention: Documented 1 fix examples

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Hard-coded cryptographic keys can be extracted through reverse engineering. Once the key is known, any data encrypted with that key can be decrypted, and signatures can be forged.

## Prevention

Prevention strategies for Hardcoded Cryptographic Key based on 1 Shoulder detection rules.

### Node.js

Use server-side secrets from environment variables, never from user input

## Warning Signs

- [CRITICAL] JWT signing or verification using user-controlled secrets

## Consequences

- Read Application Data
- Bypass Protection Mechanism

## Mitigations

- Generate cryptographic keys at deployment time
- Store keys securely using key management systems
- Rotate keys periodically

## Detection

- Total rules: 1
- Critical: 1
- Languages: javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **JWT User-Controlled Secret** [CRITICAL]: Detects JWT signing or verification using user-controlled secrets.

JWT security relies on keeping the secret key confidential. If an attacker can control or
influence the secret used for signing or verification, they can:
- Forge valid tokens for any user
- Bypass authentication entirely
- Impersonate other users

This includes:
- Using req.body.secret, req.query.secret directly as the JWT secret
- Allowing users to provide custom secrets for verification
- Using weak or predictable secrets from user input
  - Remediation: Use server-side secrets from environment variables, never user input:

```javascript
const jwt = require('jsonwebtoken');

app.post('/api/auth/verify', (req, res) => {
  const { token } = req.body;
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['RS256']
    });
    res.json({ user: decoded });
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-321/jwt-weak-secret

### Typescript (1 rules)

- **JWT User-Controlled Secret** [CRITICAL]: Detects JWT signing or verification using user-controlled secrets.

JWT security relies on keeping the secret key confidential. If an attacker can control or
influence the secret used for signing or verification, they can:
- Forge valid tokens for any user
- Bypass authentication entirely
- Impersonate other users

This includes:
- Using req.body.secret, req.query.secret directly as the JWT secret
- Allowing users to provide custom secrets for verification
- Using weak or predictable secrets from user input
  - Remediation: Use server-side secrets from environment variables, never user input:

```javascript
const jwt = require('jsonwebtoken');

app.post('/api/auth/verify', (req, res) => {
  const { token } = req.body;
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['RS256']
    });
    res.json({ user: decoded });
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-321/jwt-weak-secret