JSON Web Token None Hashing Algorithm

high Web Application Scanning Plugin ID 112703

Synopsis

JSON Web Token None Hashing Algorithm

Description

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity.

JSON Web Tokens can be configured by an application with the 'none' algorithm and an empty signature, leaving the data unsigned and mutable without any verification. In addition, some libraries used to handle JSON Web Tokens may also have a bad implementation of this algorithm, leading to the tokens set with the 'none' algorithm being verified even when they are originally created with a signature.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

Applications configured to create JSON Web Tokens with the 'none' algorithm should be updated to use a supported signing algorithm with a strong secret or private key. If an unsigned token has been verified by the application despite having been created with a signature, ensure that the library used to handle JSON Web Tokens does not automatically verify tokens with the 'none' algorithm.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://research.securitum.com/jwt-json-web-token-security/

https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a

https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries

Plugin Details

Severity: High

ID: 112703

Type: remote

Published: 2/16/2021

Updated: 11/26/2021

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

Reference Information