JWT none algorithm supported
Description: JWT none algorithm supported
All JSON Web Tokens should contain the "alg" header parameter, which specifies the algorithm that the server should use to verify the signature of the token. In addition to cryptographically strong algorithms, the JWT specification also defines the "none" algorithm, which can be used with "unsecured" (unsigned) JWTs. When this algorithm is supported on the server, it may accept tokens that have no signature at all.
As the JWT header can be tampered with client-side, a malicious user could change the "alg" header to "none", then remove the signature and check whether the server still accepts the token.
If it does, they could exploit this vulnerability by supplying an arbitrary claim in the JWT payload to escalate their privileges or impersonate other users. For example, if the token contains a "username": "joe" claim, they could change this to "username": "admin".
Remediation: JWT none algorithm supported
Ensure that unsecured JWTs are rejected by the server and only cryptographically strong algorithms are accepted and verified. Even if the application does not directly use unsecured JWTs, it's important to make sure that the "alg": "none" header parameter is restricted by the underlying JWT parsing library.
Vulnerability classifications
Typical severity
High
Type index (hex)
0x00200901
Type index (decimal)
2099457