Weak Secret Rejection

Hard+200 XPA07:2021 Identification and Authentication FailuresCWE-347

JWTAuthenticationSecret Management

Scenario

JWT HMAC signatures are only as strong as the secret used to sign them. Short or common secrets can be brute-forced offline in seconds.

Your secret validation function accepts any string — including empty strings and well-known weak values.

An attacker who captures a token can crack the secret and forge new tokens.

JWT secrets shorter than 256 bits (32 bytes) can be brute-forced with tools like hashcat in minutes. Known common secrets are tried first by every JWT cracking tool.

Your Tasks

Inspect validateSecret — it accepts any string without checking length or known-weak values.
Fix it: throw 'Secret too weak' if secret.length < 32.
Also throw 'Secret too weak' if secret is in: ['secret','password','changeme','jwt_secret','mysecret'].
Return {valid:true, length:secret.length} for strong secrets.

Examples

Example 1 — Common weak secret accepted (bug)

validateSecret('secret')
// Returns {valid:true, length:6} — should throw!

Example 2 — Strong secret accepted

validateSecret('a8f3k2m9p1q7r5s6t4u0v8w2x9y3z1b4')
// Returns {valid:true, length:32}

Constraints

›secret is a string
›Minimum length is 32 characters
›Denylist: 'secret', 'password', 'changeme', 'jwt_secret', 'mysecret'
›Throw exactly 'Secret too weak' — no other message

Hint

References

https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run