Skip to main content
LinkedInGitHubTwitter / X
// half-baked code · #03
hard10-15 min18% solve rate654 attempts

The Security Hole in String Comparison

This authentication check has a vulnerability that could expose your secrets.

SecurityNode.js

The Code

This code passed code review and works in development. But it has a bug that will cause problems in production.

auth.js
javascript
1const crypto = require('crypto');
2 
3function verifySignature(token, secret) {
4  const [header, payload, signature] = token.split('.');
5 
6  // Recreate the signature
7  const data = `${header}.${payload}`;
8  const expectedSignature = crypto
9    .createHmac('sha256', secret)
10    .update(data)
11    .digest('base64url');
12 
13  // Compare signatures
14  if (signature === expectedSignature) {
15    return true;
16  }
17 
18  return false;
19}
20 
21// This JWT verification has a security vulnerability.
22// An attacker could potentially forge valid tokens.
23// What's the issue?
// need a hint?

Progressive Hints

0 of 3 revealed
Hint 1 locked
Hint 2 locked
Hint 3 locked
// ready for the answer?

Ready for the Solution?

Enter your email to get the full solution with explanation, the fix, and why this bug is so common.

No spam. Unsubscribe any time.

// more challenges

Keep Debugging

easy3-5 min

The Event Listener Memory Leak

This WebSocket handler looks clean but will slowly consume all your memory.

medium5-10 min

The Database Connection Leak

This query function works perfectly in testing but will bring down production.

View All Challenges →