January 25, 2023
JWT stands for JSON Web Token. It is a standardized format for representing claims securely between two parties. It is commonly used for authentication and authorization in web applications, and it allows for the transfer of information such as user identities and session data in a compact and secure way. JWTs consist of three parts: a header, a payload, and a signature. The header typically includes information about the algorithm used to sign the token, while the payload contains the claims or information about the user, such as their name or email address. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message hasn't been tampered with.
The JWT None algorithm attack is a type of vulnerability that arises when a JWT (JSON Web Token) is signed using the "None" algorithm. This algorithm is a reserved name in the JWT specification that signifies that no algorithm is being used to sign the JWT.
In other words, the JWT is not digitally signed, which means that an attacker can modify it without detection. This can be a serious security issue, as the JWT may be used to authenticate a user for access to a protected resource, and an attacker could potentially modify the JWT to grant themselves access to that resource.
Severity: Medium to Critical
OWASP Category: API2:2019 Broken User Authentication
After decoding the JWT token:
The JWT consists of three base64-encoded strings separated by dots.
- The first part (eyJhbG...) is the header, which specifies the algorithm used to sign the JWT. In this case, the algorithm is "None", which means the JWT is not signed.
- The second part (eyJzY29wZSI6...) is the payload, which contains claims about the user, such as their scope of access and the time the JWT was issued.
- The third part (an empty string) is the signature, which is supposed to be a hashed version of the header and payload using a secret key. However, since the algorithm is "None", there is no signature.
The modified JWT token after decoding:
We used Portswigger lab to test this. Navigate screens below to understand the test:
In general, the use of the "NONE" algorithm in a JWT can have significant consequences, as it allows anyone who has access to the JWT to tamper with its content without detection. This can lead to several types of security vulnerabilities and risks, including:
To prevent this type of attack:
We also recently wrote about a CVE found in JWT here. Read more here. In the next blog, we will look at how attackers can exploit this vulnerability using Expired Auth Token. Stay Tuned!