Javascript Snippet #01
This challenge covers the review of a snippet of code written in JavaScript
The Code Review Snippet challenges on PentesterLab are designed to help you identify vulnerabilities in small pieces of code. In this particular lab, you are presented with a snippet of JavaScript code that uses JSON web tokens (JWT). You are encouraged to find the issue on your own before watching the accompanying video for a thorough explanation.
The video highlights a specific vulnerability in the code. It points out that the application only uses a strong secret if the environment is set to "production." If the environment variable NODE_ENV is not defined or is set to anything other than "production," a weak default secret is used. Additionally, even in production mode, there is no check to ensure the complexity of the JWT_SECRET, making it possible for the secret to be trivially easy to guess.