Unsigned JSON Web Tokens (JWTs) have a token header containing "alg": "none", but are only intended for use in rare situations when the integrity of a token is already verified using a different means.
Properly signed JWTs help to verify the integrity of the data contained within to support operations including authorization and information transfer. Properly configured JWTs designate a signing algorithm in the "alg" field of the header.
Steps to Reproduce
Review how the app uses JWTs and determine if the token’s header contains a signing algorithm instead of "alg": "none".
Business Impact
Network traffic to or from the app is not protecting an important component which protects data, leaving the data potentially vulnerable.
Remediation Resources
Always ensure that JWTs are signed to protect data integrity by designating a secure signing algorithm in the header section "alg": "<HS256 or other algorithm>". This is likely a problem with a backend service that cannot necessarily be corrected by changing the app itself.
Finding Description
Unsigned JSON Web Tokens (JWTs) have a token header containing
"alg": "none", but are only intended for use in rare situations when the integrity of a token is already verified using a different means.Properly signed JWTs help to verify the integrity of the data contained within to support operations including authorization and information transfer. Properly configured JWTs designate a signing algorithm in the
"alg"field of the header.Steps to Reproduce
Review how the app uses JWTs and determine if the token’s header contains a signing algorithm instead of
"alg": "none".Business Impact
Network traffic to or from the app is not protecting an important component which protects data, leaving the data potentially vulnerable.
Remediation Resources
Always ensure that JWTs are signed to protect data integrity by designating a secure signing algorithm in the header section
"alg": "<HS256 or other algorithm>". This is likely a problem with a backend service that cannot necessarily be corrected by changing the app itself.Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report