# Improper Authentication (CWE-287) When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. **Stack:** JavaScript - Prevalence: 高 频繁被利用 - Impact: 关键 2 条严重级别为关键的规则 - Prevention: 已记录 2 个修复示例 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Authentication is the process of determining if a claimed identity is correct. When authentication is insufficient or incorrect, attackers can assume the identity of legitimate users. ## Prevention 基于 1 条 Shoulder 检测规则的 Improper Authentication 预防策略。 ### JavaScript Use jwt.verify() instead of jwt.decode() when assigning user identity ## Warning Signs - [CRITICAL] when jwt ## Consequences - 获取权限 - 绕过保护机制 - 读取应用程序数据 ## Mitigations - 使用多因素身份验证 - 对身份验证使用经过审查的库或框架 - 实施适当的密码策略 ## Detection - Total rules: 2 - Critical: 2 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures. - Remediation: Use jwt.verify() instead of jwt.decode() for authentication. ```javascript const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] }); req.user = decoded; ``` Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity ### Typescript (1 rules) - **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures. - Remediation: Use jwt.verify() instead of jwt.decode() for authentication. ```javascript const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] }); req.user = decoded; ``` Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity