hard10-15 min18% solve rate

The Security Hole in String Comparison

This authentication check has a vulnerability that could expose your secrets.

SecurityNode.js

The Code

This code passed code review and works in development. But it has a bug that will cause problems in production.

auth.js

1const crypto = require('crypto');
2 
3function verifySignature(token, secret) {
4  const [header, payload, signature] = token.split('.');
5 
6  // Recreate the signature
7  const data = `${header}.${payload}`;
8  const expectedSignature = crypto
9    .createHmac('sha256', secret)
10    .update(data)
11    .digest('base64url');
12 
13  // Compare signatures
14  if (signature === expectedSignature) {
15    return true;
16  }
17 
18  return false;
19}
20 
21// This JWT verification has a security vulnerability.
22// An attacker could potentially forge valid tokens.
23// What's the issue?

Need a Hint?

0 of 3 revealed

Hint 1 locked

Hint 2 locked

Hint 3 locked

Ready for the Solution?

Enter your email to get the full solution with explanation, the fix, and why this bug is so common.

More Challenges

easy3-5 min

The Event Listener Memory Leak

This WebSocket handler looks clean but will slowly consume all your memory.

medium5-10 min

The Database Connection Leak

This query function works perfectly in testing but will bring down production.

View All Challenges