Unsigned JSON Web Tokens (JWTs) have a token header containing "alg": "none", but are only intended for use in rare situations when the integrity of a token is already verified using a different means.
Properly signed JWTs help to verify the integrity of the data contained within to support operations including authorization and information transfer. Properly configured JWTs designate a signing algorithm in the "alg" field of the header.
Steps to Reproduce
Review how the app uses JWTs and determine if the token’s header contains a signing algorithm instead of "alg": "none".
For this check, network flows are examined for unsigned JSON Web Tokens (JWTs). JWTs are common access tokens used to grant access to resources.
Business Impact
Unsigned JWTs expose the app to risks associated with data integrity. An attacker could modify the data within the unsigned JWT without the user’s or business’ knowledge, leading to possible follow-on attacks. Trusting unsigned user identifiers could lead to account takeover.
Remediation Resources
Always ensure that JWTs are signed to protect data integrity by designating a secure signing algorithm in the header section "alg": "<HS256 or other algorithm>".
Finding Description
Unsigned JSON Web Tokens (JWTs) have a token header containing
"alg": "none", but are only intended for use in rare situations when the integrity of a token is already verified using a different means.Properly signed JWTs help to verify the integrity of the data contained within to support operations including authorization and information transfer. Properly configured JWTs designate a signing algorithm in the
"alg"field of the header.Steps to Reproduce
Review how the app uses JWTs and determine if the token’s header contains a signing algorithm instead of
"alg": "none".For this check, network flows are examined for unsigned JSON Web Tokens (JWTs). JWTs are common access tokens used to grant access to resources.
Business Impact
Unsigned JWTs expose the app to risks associated with data integrity. An attacker could modify the data within the unsigned JWT without the user’s or business’ knowledge, leading to possible follow-on attacks. Trusting unsigned user identifiers could lead to account takeover.
Remediation Resources
Always ensure that JWTs are signed to protect data integrity by designating a secure signing algorithm in the header section
"alg": "<HS256 or other algorithm>".Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report