JWT missing secret or public key verification¶
ID: js/jwt-missing-verification Kind: problem Security severity: 7.0 Severity: warning Precision: high Tags: - security - external/cwe/cwe-347 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Applications decoding JSON Web Tokens (JWT) may be misconfigured due to the None algorithm.
The None algorithm is selected by calling the verify() function with a falsy value instead of a cryptographic secret or key. The None algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.
Recommendation¶
Calls to verify() functions should use a cryptographic secret or key to decode JWT payloads.
Example¶
In the example below, false is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.
constjwt=require("jsonwebtoken");constsecret="my-secret-key";vartoken=jwt.sign({foo:'bar'},secret,{algorithm:"none"})jwt.verify(token,false,{algorithms:["HS256","none"]})The following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.
constjwt=require("jsonwebtoken");constsecret="my-secret-key";vartoken=jwt.sign({foo:'bar'},secret,{algorithm:"HS256"})jwt.verify(token,secret,{algorithms:["HS256","none"]})References¶
Auth0 Blog: Meet the “None” Algorithm.
Common Weakness Enumeration: CWE-347.
