JWT Algorithm None Analyzer
Configuration Name: JWTAlgorithmNone
Description
The JWTAlgorithmNone analyzer checks whether an application accepts a JSON Web Token (JWT) with its algorithm property (alg) set to none.
For each request in the sequence walk, a modified version of the JWT is generated with alg: "none". If the application accepts the request and returns a 2xx (success) or 5xx (server error) response, then a finding is reported.
Faults Reported
The JWTAlgorithmNone analyzer reports two types of findings based on the response from the application:
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-347 | JWT with algorithm "none" accepted | A request succeeded with a JWT that has alg: "none", indicating the application does not validate the JWT algorithm. This allows attackers to forge JWTs with arbitrary claims. |
Applications must enforce JWT algorithm validation and reject tokens with "none". |
High |
| CWE-347 | JWT with algorithm "none" caused service exception | A request with a JWT set to alg: "none" resulted in a service exception. The application is expected to return a 4xx client error for an invalid JWT but instead encountered an internal error. |
Applications must enforce JWT algorithm validation and return a client error (e.g., 401 Unauthorized) for invalid JWTs. |
Medium |
Rule Evaluation
The JWTAlgorithmNone analyzer is executed on every API operation in the sequence walk. It modifies the JWT by setting alg: "none" in the header and sends the request. If the application does not properly validate the JWT, a finding is reported.
- If the response is 2xx, the application incorrectly accepts the token.
- If the response is 5xx, the application fails with a server error, indicating improper handling of invalid JWTs.
Remediation Steps
To mitigate the security risks associated with accepting JWTs with alg: "none", implement the following remediation steps:
-
Enforce Algorithm Validation
- Ensure that all JWTs are validated against an expected algorithm (e.g.,
RS256,HS256). - Use strict configuration settings to reject JWTs with
alg: "none".
- Ensure that all JWTs are validated against an expected algorithm (e.g.,
-
Reject Invalid JWTs
- Implement strict JWT verification logic that explicitly disallows tokens where
alg: "none"is specified. - Configure JWT libraries and authentication middleware to require a specific set of secure algorithms.
- Implement strict JWT verification logic that explicitly disallows tokens where
-
Enhance Server Response Handling
- Ensure the application responds with a 4xx (client error) when an invalid JWT is provided.
- Avoid server crashes or unhandled exceptions by properly handling JWT parsing errors.
-
Perform Security Testing
- Regularly test authentication mechanisms for JWT misconfigurations.
- Conduct security audits and penetration tests to ensure that JWTs with
alg: "none"are correctly rejected.
-
Monitor and Log JWT Usage
- Log all authentication-related failures, including invalid JWT attempts.
- Set up monitoring and alerting for repeated invalid JWT attempts, which may indicate an attack.