JSON Web Token None Hashing Algorithm

high Web Application Scanning Plugin ID 112703

Synopsis

Description

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity.

JSON Web Tokens can be configured by an application with the 'none' algorithm and an empty signature, leaving the data unsigned and mutable without any verification. In addition, some libraries used to handle JSON Web Tokens may also have a bad implementation of this algorithm, leading to the tokens set with the 'none' algorithm being verified even when they are originally created with a signature.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

Applications configured to create JSON Web Tokens with the 'none' algorithm should be updated to use a supported signing algorithm with a strong secret or private key. If an unsigned token has been verified by the application despite having been created with a signature, ensure that the library used to handle JSON Web Tokens does not automatically verify tokens with the 'none' algorithm.