JSON Web Token None Hashing Algorithm

high Web Application Scanning Plugin ID 112703


JSON Web Token None Hashing Algorithm


JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity.

JSON Web Tokens can be configured by an application with the 'none' algorithm and an empty signature, leaving the data unsigned and mutable without any verification. In addition, some libraries used to handle JSON Web Tokens may also have a bad implementation of this algorithm, leading to the tokens set with the 'none' algorithm being verified even when they are originally created with a signature.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.


Applications configured to create JSON Web Tokens with the 'none' algorithm should be updated to use a supported signing algorithm with a strong secret or private key. If an unsigned token has been verified by the application despite having been created with a signature, ensure that the library used to handle JSON Web Tokens does not automatically verify tokens with the 'none' algorithm.

See Also






Plugin Details

Severity: High

ID: 112703

Type: remote

Published: 2/16/2021

Updated: 11/26/2021

Scan Template: api, scan, pci

Risk Information


Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable


Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

Reference Information