Course

The Code Review Snippet challenges on PentesterLab are designed to help you identify vulnerabilities in small pieces of code. In this particular lab, you are presented with a snippet of JavaScript code that uses JSON web tokens (JWT). You are encouraged to find the issue on your own before watching the accompanying video for a thorough explanation.

The video highlights a specific vulnerability in the code. It points out that the application only uses a strong secret if the environment is set to "production." If the environment variable NODE_ENV is not defined or is set to anything other than "production," a weak default secret is used. Additionally, even in production mode, there is no check to ensure the complexity of the JWT_SECRET, making it possible for the secret to be trivially easy to guess.