Skip to main content

JWT no algorithm

Description

We sent a token with the 'none' algorithm and it was accepted by the server. This means that we can handcraft any token to impersonate another user.

Remediation

You must validate the algorithm used to sign the token before checking it's signature.

GraphQL Specific

Apollo

Ensure that the Apollo server implementation validates the JWT with a secure, specified algorithm. Do not allow the 'none' algorithm, and always define the algorithm in the server configuration to prevent attackers from exploiting default or unspecified settings. Use libraries that enforce algorithm specification and do not default to 'none'.

Yoga

Ensure that the Yoga framework engine is configured to reject JWTs with 'none' as the algorithm. Explicitly specify the algorithm expected in the JWT configuration and use a library that does not allow 'none' as a valid algorithm. Additionally, implement proper error handling to reject any JWT that does not meet the security requirements.

Awsappsync

Ensure that the JWT tokens used in AWS AppSync are configured to use a secure and explicit algorithm for signature verification. Avoid using the 'none' algorithm, and instead specify a robust algorithm like HS256 or RS256 in the token's header. Update the authentication logic to reject tokens with 'alg' set to 'none' and validate the algorithm used in the token against a whitelist of secure algorithms.

Graphqlgo

Ensure that the JWT implementation in the GraphQL Go framework engine explicitly specifies and validates the algorithm used for token signing. Do not allow the 'none' algorithm, and reject any tokens that do not have a matching algorithm specified in the header. Configure the JWT middleware to require a secure, standard algorithm such as HS256, RS256, or ES256, and validate the JWT signature accordingly.

Graphqlruby

Ensure that the JWT implementation in the GraphQL Ruby framework is configured to use a secure and explicit algorithm for token encoding and validation. Avoid using the 'none' algorithm, and instead specify a robust algorithm like 'HS256' or 'RS256'. Validate the 'alg' header of the JWT to prevent algorithm manipulation attacks. Additionally, consider using a library that adheres to the latest security standards for JWT handling.

Hasura

Ensure that the Hasura engine is configured to reject JWTs with 'none' as the algorithm. Specify the allowed algorithms explicitly in the JWT configuration and use a library that supports algorithm whitelisting to prevent unauthorized access.

REST Specific

Asp_net

Ensure that the JWT authentication handler in the ASP.NET application is configured to reject tokens with the 'none' algorithm. Implement strict checks to only accept tokens signed with secure and explicit algorithms that the server expects. Update the token validation parameters to specify the allowed algorithms and reject any JWT without a proper signature.

Ruby_on_rails

In Ruby on Rails, ensure that JWT tokens are validated with a secure algorithm by explicitly specifying the algorithm in the decode method. Use a library like 'ruby-jwt' and configure it to reject 'none' as a valid algorithm. For example, use JWT.decode(token, secret_key, true, { algorithm: 'HS256' }) to specify HMAC SHA-256 as the algorithm and prevent accepting tokens with 'none' algorithm.

Next_js

Ensure that the JWT implementation in the Next.js application does not accept 'none' as a valid algorithm. Configure the JWT library to require a secure and explicit algorithm, such as HS256 or RS256, for token verification. Additionally, implement checks to reject any tokens that specify 'alg': 'none' in their headers to prevent unauthorized access.

Laravel

Ensure that the JWT package in use within the Laravel application is configured to reject tokens with the 'none' algorithm. Set a default algorithm in the configuration and validate the 'alg' header of the JWT to match the expected algorithm. Additionally, implement strict checks to ensure that the token's signature is verified against the server's secret or public key. Update the JWT middleware to enforce these security measures and prevent unauthorized token usage.

Express_js

Ensure that the JWT verification in Express.js strictly enforces a secure, non-'none' algorithm. Update the JWT verification middleware to reject tokens with 'none' as the algorithm and specify the accepted algorithms explicitly.

Django

Ensure that the JWT library in Django is configured to reject tokens with 'none' as the algorithm. Explicitly specify the allowed algorithms in the JWT_AUTH settings and validate the JWT signature with a secure algorithm like HS256 or RS256. Update the authentication code to verify the algorithm used in the token matches the expected one.

Symfony

In the Symfony framework, ensure that the JWT library or bundle in use is configured to reject tokens with the 'none' algorithm. Set a strict policy to only accept tokens signed with secure and explicit algorithms, such as HS256 or RS256. Update the security settings to enforce this policy and add checks to reject any tokens that do not meet the required criteria. Additionally, implement robust logging and monitoring to detect and alert on any attempts to use tokens with the 'none' algorithm.

Spring_boot

Ensure that the JWT parser in the Spring Boot application is configured to reject tokens with the 'none' algorithm. Set the expected signing algorithm explicitly and validate the JWT signature with a proper key. Update the security configuration to use a strong, standard algorithm like HS256, RS256, or ES256 for token verification. Additionally, implement checks to ensure that the 'alg' header in the JWT matches the expected algorithm.

Flask

Ensure the JWT library in Flask is configured to reject tokens with the 'none' algorithm. Set the 'algorithms' argument in the decode function to only accept secure and appropriate algorithms, such as HS256 or RS256. Additionally, implement checks to verify the integrity of the token's header before processing it.

Nuxt

Ensure the server validates the JWT with a secure and specified algorithm, rejecting any tokens with 'none' as the algorithm. Update the Nuxt.js application's authentication middleware to only accept tokens signed with robust algorithms like HS256 or RS256.

Fastapi

Ensure that the FastAPI application is configured to reject JWT tokens with the 'none' algorithm. Implement checks to validate the algorithm used in the JWT header, and only accept tokens signed with secure and expected algorithms. Update the JWT authentication dependency to explicitly specify the allowed algorithms and to disallow the 'none' option. Additionally, consider using a robust library like PyJWT with a clear specification of the signing algorithm, and always keep the library up to date to incorporate any security fixes.

Configuration

Identifier: injection/jwt_alg_none

Examples

Ignore this check

checks:
  injection/jwt_alg_none:
    skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API2:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-63B
  • fedramp: AC-2

Classification

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • CVSS_SCORE: 9.3