JWT signature not verified
Description: JWT signature not verified
The JSON Web Token specification provides several ways for developers to digitally sign payload claims. This ensures data integrity and robust user authentication. However, some servers fail to properly verify the signature, which can result in them accepting tokens with invalid signatures.
A malicious user can exploit this vulnerability by supplying an arbitrary claim in the JWT payload to obtain new privileges or impersonate other users. For example, if the token contains a "username": "joe" claim, an attacker could potentially change this to "username": "admin" to grant themselves higher privileges.
Burp Suite detects this vulnerability by comparing responses to multiple requests with proper and improper signatures. Although this is a reliable detection method, it is not bulletproof. When this issue is reported, we recommend manually checking that the difference in responses was indeed caused by the different JWT permutations.
Remediation: JWT signature not verified
Ensure that the signature of the JWT is properly verified for all supported algorithms.
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-347: Improper Verification of Cryptographic Signature
Type index (hex)
Type index (decimal)