Products

Pricing

Test Library

Solutions

Resources

See docs

Start free

Test Library

JWT None Algorithm

Since NONE Algorithm JWT is accepted by the server the attacker can tamper with the payload of JWT and access protected resources.

Broken User Authentication (BUA)

"The endpoint appears to be vulnerable to broken authentication attack.The original request was replayed by changing algorithm of JWT token to NONE in request headers. The server responded with 2XX success codes. This indicates that this endpoint can be accessed without JWT signature which means a malicious user can get unauthorized access to this endpoint.<br><br>" "<b>Background:</b> All JSON Web Tokens should contain the \"alg\" header parameter, which specifies the algorithm that the server should use to verify the signature of the token. In addition to cryptographically strong algorithms the JWT specification also defines the \"none\" algorithm, which can be used with \"unsecured\" (unsigned) JWTs. When this algorithm is supported on the server, it may accept tokens that have no signature at all.<br><br>" "As the JWT header can be tampered with client-side, a malicious user could change the \"alg\" header to \"none\", then remove the signature and check whether the server still accepts the token."

"The endpoint appears to be vulnerable to broken authentication attack.The original request was replayed by changing algorithm of JWT token to NONE in request headers. The server responded with 2XX success codes. This indicates that this endpoint can be accessed without JWT signature which means a malicious user can get unauthorized access to this endpoint.<br><br>" "<b>Background:</b> All JSON Web Tokens should contain the \"alg\" header parameter, which specifies the algorithm that the server should use to verify the signature of the token. In addition to cryptographically strong algorithms the JWT specification also defines the \"none\" algorithm, which can be used with \"unsecured\" (unsigned) JWTs. When this algorithm is supported on the server, it may accept tokens that have no signature at all.<br><br>" "As the JWT header can be tampered with client-side, a malicious user could change the \"alg\" header to \"none\", then remove the signature and check whether the server still accepts the token."

Impact of the vulnerability

Impact of the vulnerability

"If JWT none algorithm works, attacker can do a full account takeover. They can also exploit this vulnerability by supplying an arbitrary claim in the JWT payload to escalate their privileges or impersonate other users. For example, if the token contains a \"username\": \"joe\" claim, they could change this to \"username\": \"admin\"."

"If JWT none algorithm works, attacker can do a full account takeover. They can also exploit this vulnerability by supplying an arbitrary claim in the JWT payload to escalate their privileges or impersonate other users. For example, if the token contains a \"username\": \"joe\" claim, they could change this to \"username\": \"admin\"."

How this template works

APIs Selection

The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, the template filters the requests based on the response code, ensuring that it is greater than or equal to 200 and less than 300. It also checks if the request headers contain a specific value related to JWT.

Execute request

The template uses the execute section to define the type of request to be executed. In this case, it is a single request. The request is specified under the "requests" field, where you can define multiple requests if needed. The template also includes a replace_auth_header field, which replaces the authentication header with a specific token value from the auth_context.

Validation

The template includes a validation section to validate the response of the executed request. It checks the response code to ensure it is within the range of 200 to 300, indicating a successful response. If the response code meets the validation criteria, the template considers the request as valid.

Frequently asked questions

What is the purpose of the "JWT None Algorithm" vulnerability test

How does the test determine if the server is vulnerable to the "JWT None Algorithm" attack

What are the potential impacts of the "JWT None Algorithm" vulnerability

What category and subcategory does the "JWT None Algorithm" vulnerability fall under

Are there any references available for further information on the "JWT None Algorithm" vulnerability

What are the authentication requirements for this vulnerability test

Loved by security teams!

Loved by security teams!

Product Hunt Badge

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,

Rippling

Explore other tests

JWT authentication bypass via jku header injection

CSRF Login attack

JWT Failed to verify Signature

Broken Authentication by removing auth token

CSRF test by removing csrf token

CSRF test by replacing with invalid csrf token

Learn more:

API security tests

5 min read

How to test JWT NONE Algorithm vulnerability?

OWASP top 10

10 min read

What's changed in OWASP API Security Top 10 2023 Release Candidate from 2019?

Suggest API security tests

Suggest API security tests

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.