Fix JWT Vulnerabilities (Weak Signing, None Algo) in Tornado
JWT implementation in Tornado often fails due to lazy library usage. Attackers exploit the 'none' algorithm support or brute-force weak HMAC secrets to escalate privileges. To harden your Tornado app, you must enforce cryptographic constraints at the decoding layer and use environment-sourced high-entropy secrets.
The Vulnerable Pattern
import jwt
from tornado.web import RequestHandler
class VulnerableHandler(RequestHandler):
def get(self):
# VULNERABLE: No algorithm enforcement, hardcoded weak secret, or signature verification disabled
auth_header = self.request.headers.get(‘Authorization’)
token = auth_header.split(’ ’)[1]
# This allows 'none' algorithm or algorithm switching attacks
payload = jwt.decode(token, 'secret', options={'verify_signature': False})
self.write(payload)</code></pre>
The Secure Implementation
1. Algorithm Enforcement: By passing algorithms=['HS256'], you explicitly reject tokens using the 'none' algorithm or unexpected asymmetric keys. 2. Secret Management: Hardcoded 'secret' strings are easily cracked via Hashcat; use os.environ to pull a 32+ byte hex string. 3. Explicit Verification: Never set verify_signature to False in production. 4. Error Handling: Catch PyJWT exceptions (ExpiredSignatureError, InvalidTokenError) to prevent leaking internal state and to return correct HTTP 401/403 status codes.
import jwt
import os
from tornado.web import RequestHandler, HTTPError
SECURE: Load high-entropy secret from environment
JWT_SECRET = os.environ.get(‘JWT_SECRET_KEY’)
ALLOWED_ALGORITHMS = [‘HS256’]
class SecureHandler(RequestHandler):
def get(self):
auth_header = self.request.headers.get(‘Authorization’)
if not auth_header or not auth_header.startswith(‘Bearer ’):
raise HTTPError(401, ‘Missing or invalid token’)
try:
token = auth_header.split(' ')[1]
# SECURE: Explicitly define algorithms and verify signature
payload = jwt.decode(
token,
JWT_SECRET,
algorithms=ALLOWED_ALGORITHMS,
options={'verify_exp': True}
)
self.write(payload)
except jwt.ExpiredSignatureError:
raise HTTPError(401, 'Token expired')
except jwt.InvalidTokenError:
raise HTTPError(403, 'Invalid token')
except Exception:
raise HTTPError(500, 'Internal Server Error')</code></pre>
Your Tornado API
might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)
74% of Tornado apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.