JWT no algorithm¶
Description¶
We sent a token with the 'none' algorithm and it was accepted by the server. This means that we can handcraft any token to impersonate another user.
Remediation¶
You must validate the algorithm used to sign the token before checking it's signature.
GraphQL Specific¶
Apollo
Ensure that the Apollo server implementation validates the JWT with a secure, specified algorithm. Do not allow the 'none' algorithm, and always define the algorithm in the server configuration to prevent attackers from exploiting default or unspecified settings. Use libraries that enforce algorithm specification and do not default to 'none'.Awsappsync
Ensure that the JWT tokens used in AWS AppSync are configured to use a secure and explicit algorithm for signature verification. Avoid using the 'none' algorithm, and instead specify a robust algorithm like HS256 or RS256 in the token's header. Update the authentication logic to reject tokens with 'alg' set to 'none' and validate the algorithm used in the token against a whitelist of secure algorithms.Graphqlgo
Ensure that the JWT implementation in the GraphQL Go framework engine explicitly specifies and validates the algorithm used for token signing. Do not allow the 'none' algorithm, and reject any tokens that do not have a matching algorithm specified in the header. Configure the JWT middleware to require a secure, standard algorithm such as HS256, RS256, or ES256, and validate the JWT signature accordingly.Graphqlruby
Ensure that the JWT implementation in the GraphQL Ruby framework is configured to use a secure and explicit algorithm for token encoding and validation. Avoid using the 'none' algorithm, and instead specify a robust algorithm like 'HS256' or 'RS256'. Validate the 'alg' header of the JWT to prevent algorithm manipulation attacks. Additionally, consider using a library that adheres to the latest security standards for JWT handling.Hasura
Ensure that the Hasura engine is configured to reject JWTs with 'none' as the algorithm. Specify the allowed algorithms explicitly in the JWT configuration and use a library that supports algorithm whitelisting to prevent unauthorized access.Agoo
Ensure that the JWT implementation in the Agoo framework engine is configured to reject tokens with the 'none' algorithm. Always specify a secure algorithm such as 'HS256' or 'RS256' and validate the token's signature before accepting it.Ariadne
Ensure that the JWT implementation in the Ariadne framework engine is configured to reject tokens with the 'none' algorithm. Always specify a secure algorithm, such as 'HS256' or 'RS256', and validate the token's signature to prevent unauthorized access.Caliban
Ensure that the Caliban framework engine is configured to reject JWT tokens with the 'none' algorithm by enforcing strict validation of the token's signature and algorithm. Implement checks to only accept tokens signed with a secure algorithm such as HS256 or RS256.Dgraph
Ensure that the JWT validation process explicitly checks for a valid and secure algorithm, such as 'HS256' or 'RS256', and rejects tokens with the 'none' algorithm to prevent unauthorized access.Dianajl
Ensure that the JWT implementation in the DianaJL framework engine strictly enforces the use of secure algorithms, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access and token forgery.Directus
Ensure that the Directus framework is configured to reject JWT tokens with the 'none' algorithm by enforcing strict algorithm validation and only accepting tokens signed with a secure algorithm such as HS256 or RS256.Flutter
Ensure that the server-side implementation of JWT validation explicitly checks for and rejects tokens with the 'none' algorithm. Additionally, configure the server to only accept tokens signed with a strong algorithm such as HS256 or RS256, and verify the signature before processing the token. This will prevent unauthorized token manipulation and ensure secure authentication.Graphene
Ensure that the Graphene framework is configured to reject JWT tokens with the 'none' algorithm by enforcing strict validation of the token's signature and algorithm. Implement server-side checks to verify that only tokens signed with a secure algorithm, such as HS256 or RS256, are accepted. Regularly update and audit your authentication mechanisms to prevent unauthorized access.Graphqlapiforwp
Ensure that the JWT implementation in the GraphQL API for WP framework strictly enforces the use of secure algorithms like HS256 or RS256, and explicitly disallows the 'none' algorithm to prevent token forgery and unauthorized access.Graphqlgophergo
Ensure that the JWT implementation in the GraphQL Gopher-Go framework does not accept tokens with the 'none' algorithm by enforcing strict algorithm validation and configuring the server to only accept tokens signed with a secure algorithm such as HS256 or RS256.Graphqljava
Ensure that the JWT validation process explicitly checks for and rejects tokens using the 'none' algorithm. Configure the GraphQL Java framework to enforce strict algorithm validation by specifying allowed algorithms and implementing robust token verification logic.Graphqlphp
Ensure that the GraphQL-PHP framework is configured to reject JWT tokens with the 'none' algorithm by enforcing strict validation of the token's signature and algorithm. Implement a whitelist of accepted algorithms and verify the token's integrity before processing any requests.Graphqlyoga
Ensure that the JWT validation process explicitly checks for a valid signing algorithm and rejects tokens with the 'none' algorithm to prevent unauthorized access.Hypergraphql
Ensure that the JWT validation process in the HyperGraphQL framework engine explicitly checks for and rejects tokens using the 'none' algorithm. Implement strict validation to only accept tokens signed with a secure algorithm such as HS256 or RS256, and verify the token's signature against a trusted secret or public key.Jaal
Ensure that the JWT library used in the Jaal framework engine is configured to reject tokens with the 'none' algorithm by enforcing a strict validation of the algorithm parameter. Additionally, implement server-side checks to verify the token's signature and integrity before accepting it.Juniper
Ensure that the JWT implementation in the Juniper framework engine strictly enforces the use of secure algorithms, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access and token forgery.Lacinia
Ensure that the Lacinia framework engine is configured to reject JWT tokens with the 'none' algorithm by enforcing strict algorithm validation and only accepting tokens signed with secure algorithms such as HS256 or RS256.Lighthouse
Ensure that the server explicitly specifies and enforces a strong algorithm for JWT verification, such as HS256 or RS256, and never accept tokens with the 'none' algorithm.Mercurius
Ensure that the Mercurius framework is configured to reject JWTs with the 'none' algorithm by enforcing strict validation of the token's signature and algorithm. Update the server configuration to only accept tokens signed with a secure algorithm such as 'HS256' or 'RS256' and verify the token's integrity before processing any requests.Morpheusgraphql
Ensure that the Morpheus GraphQL framework engine is configured to reject JWT tokens with the 'none' algorithm by enforcing the use of a secure algorithm such as 'HS256' or 'RS256'. Additionally, validate the token's signature and claims to prevent unauthorized access.Qglgen
Ensure that the JWT validation process in the gqlgen framework explicitly checks for and rejects tokens using the 'none' algorithm. Always specify and enforce the use of a strong, secure algorithm such as 'HS256' or 'RS256' for token signing and verification.Sangria
Ensure that the JWT implementation in the Sangria framework strictly enforces the use of secure algorithms like HS256 or RS256, and explicitly reject tokens with the 'none' algorithm to prevent unauthorized access.Shopify
Ensure that the server is configured to reject JWTs with the 'none' algorithm by explicitly specifying and validating the expected signing algorithm. Additionally, implement strict checks to verify the integrity and authenticity of tokens before processing them.Stepzen
Ensure that the JWT validation process in the StepZen framework strictly enforces the use of a secure algorithm, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access.Strawberry
Ensure that the JWT implementation in the Strawberry Framework Engine strictly enforces the use of secure algorithms, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access.Tartiflette
Ensure that the JWT validation process in the Tartiflette framework explicitly checks for and rejects tokens using the 'none' algorithm. Implement strict validation to only accept tokens signed with a secure algorithm such as HS256 or RS256, and verify the signature against a trusted secret or public key.Wpgraphql
Ensure that the JWT implementation in the WPGraphQL framework strictly enforces the use of secure algorithms, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access.REST Specific¶
Asp_net
Ensure that the JWT authentication handler in the ASP.NET application is configured to reject tokens with the 'none' algorithm. Implement strict checks to only accept tokens signed with secure and explicit algorithms that the server expects. Update the token validation parameters to specify the allowed algorithms and reject any JWT without a proper signature.Ruby_on_rails
In Ruby on Rails, ensure that JWT tokens are validated with a secure algorithm by explicitly specifying the algorithm in the decode method. Use a library like 'ruby-jwt' and configure it to reject 'none' as a valid algorithm. For example, use `JWT.decode(token, secret_key, true, { algorithm: 'HS256' })` to specify HMAC SHA-256 as the algorithm and prevent accepting tokens with 'none' algorithm.Next_js
Ensure that the JWT implementation in the Next.js application does not accept 'none' as a valid algorithm. Configure the JWT library to require a secure and explicit algorithm, such as HS256 or RS256, for token verification. Additionally, implement checks to reject any tokens that specify 'alg': 'none' in their headers to prevent unauthorized access.Laravel
Ensure that the JWT package in use within the Laravel application is configured to reject tokens with the 'none' algorithm. Set a default algorithm in the configuration and validate the 'alg' header of the JWT to match the expected algorithm. Additionally, implement strict checks to ensure that the token's signature is verified against the server's secret or public key. Update the JWT middleware to enforce these security measures and prevent unauthorized token usage.Express_js
Ensure that the JWT verification in Express.js strictly enforces a secure, non-'none' algorithm. Update the JWT verification middleware to reject tokens with 'none' as the algorithm and specify the accepted algorithms explicitly.Django
Ensure that the JWT library in Django is configured to reject tokens with 'none' as the algorithm. Explicitly specify the allowed algorithms in the JWT_AUTH settings and validate the JWT signature with a secure algorithm like HS256 or RS256. Update the authentication code to verify the algorithm used in the token matches the expected one.Symfony
In the Symfony framework, ensure that the JWT library or bundle in use is configured to reject tokens with the 'none' algorithm. Set a strict policy to only accept tokens signed with secure and explicit algorithms, such as HS256 or RS256. Update the security settings to enforce this policy and add checks to reject any tokens that do not meet the required criteria. Additionally, implement robust logging and monitoring to detect and alert on any attempts to use tokens with the 'none' algorithm.Spring_boot
Ensure that the JWT parser in the Spring Boot application is configured to reject tokens with the 'none' algorithm. Set the expected signing algorithm explicitly and validate the JWT signature with a proper key. Update the security configuration to use a strong, standard algorithm like HS256, RS256, or ES256 for token verification. Additionally, implement checks to ensure that the 'alg' header in the JWT matches the expected algorithm.Flask
Ensure the JWT library in Flask is configured to reject tokens with the 'none' algorithm. Set the 'algorithms' argument in the decode function to only accept secure and appropriate algorithms, such as HS256 or RS256. Additionally, implement checks to verify the integrity of the token's header before processing it.Nuxt
Ensure the server validates the JWT with a secure and specified algorithm, rejecting any tokens with 'none' as the algorithm. Update the Nuxt.js application's authentication middleware to only accept tokens signed with robust algorithms like HS256 or RS256.Fastapi
Ensure that the FastAPI application is configured to reject JWT tokens with the 'none' algorithm. Implement checks to validate the algorithm used in the JWT header, and only accept tokens signed with secure and expected algorithms. Update the JWT authentication dependency to explicitly specify the allowed algorithms and to disallow the 'none' option. Additionally, consider using a robust library like PyJWT with a clear specification of the signing algorithm, and always keep the library up to date to incorporate any security fixes.Frappe
Ensure that the server explicitly checks and enforces the use of a strong algorithm (such as HS256 or RS256) for JWT tokens, and never accept tokens with the 'none' algorithm. Additionally, validate the token's signature and claims to prevent unauthorized access.Genzio
Ensure that the JWT implementation in the Genzio framework engine strictly enforces the use of secure algorithms, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access.Gin
Ensure that the JWT middleware in the Gin framework is configured to reject tokens with the 'none' algorithm by explicitly specifying a secure algorithm (e.g., HS256, RS256) and validating the token signature before accepting it.Gorilla
Ensure the server explicitly checks for and rejects tokens using the 'none' algorithm. Always validate the algorithm specified in the JWT header and configure the server to accept only secure algorithms like HS256 or RS256.Hapi
Ensure that the JWT validation process in the Hapi framework explicitly specifies the expected algorithm(s) and rejects tokens with the 'none' algorithm to prevent unauthorized access.Hono
Ensure that the JWT library used in the Hono framework engine is configured to reject tokens with the 'none' algorithm. Always specify a strong algorithm such as 'HS256' or 'RS256' for token verification and validation.Jersey
Ensure that the JWT library used in the Jersey framework is configured to reject tokens with the 'none' algorithm by explicitly specifying the accepted algorithms and validating the token signature before processing.Koa
Ensure that the JWT verification process in your Koa framework application explicitly specifies a secure algorithm, such as 'HS256' or 'RS256', and never accepts tokens with the 'none' algorithm. This can be achieved by configuring your JWT library to reject any tokens that do not match the expected algorithm, thereby preventing unauthorized access and token forgery.Ktor
Ensure that the JWT authentication mechanism in the Ktor framework is configured to reject tokens with the 'none' algorithm by explicitly specifying a secure algorithm such as 'HS256' or 'RS256' and validating the token signature before accepting it.Leptos
Ensure that the JWT implementation in the Leptos framework strictly enforces the use of secure algorithms, such as HS256 or RS256, and explicitly rejects tokens with the 'none' algorithm to prevent unauthorized access.Macaron
Ensure that the JWT middleware in the Macaron framework is configured to reject tokens with the 'none' algorithm by explicitly specifying a secure algorithm such as 'HS256' or 'RS256' for token verification.Phoenix
Ensure that the Phoenix framework is configured to reject JWT tokens with the 'none' algorithm by validating the algorithm field in the token header and using a secure algorithm like HS256 or RS256 for token signing and verification.Redwoodjs
Ensure that the JWT verification process in your RedwoodJS application explicitly specifies a secure algorithm, such as 'HS256' or 'RS256', and never accepts tokens with the 'none' algorithm. This can be achieved by configuring your JWT library to reject any token that does not match the expected algorithm, thereby preventing unauthorized token creation and ensuring user authenticity.Rocket
Ensure that the JWT library used in the Rocket framework is configured to reject tokens with the 'none' algorithm by explicitly specifying supported algorithms and validating the token's signature.Sveltekit
Ensure that the server verifies the JWT signature by explicitly specifying a secure algorithm, such as 'HS256' or 'RS256', and rejecting tokens with the 'none' algorithm in the SvelteKit framework.Configuration¶
Identifier:
injection/jwt_alg_none
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API2:2023
- OWASP LLM: LLM06:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-63B
- fedramp: AC-2
Classification¶
- CWE: 287
Score¶
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
- CVSS_SCORE: 9.3