JWT None Algorithm
Since NONE Algorithm JWT is accepted by the server the attacker can tamper with the payload of JWT and access protected resources.
Broken User Authentication (BUA)
How this template works
APIs Selection
The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, the template filters the requests based on the response code, ensuring that it is greater than or equal to 200 and less than 300. It also checks if the request headers contain a specific value related to JWT.
Execute request
The template uses the execute section to define the type of request to be executed. In this case, it is a single request. The request is specified under the "requests" field, where you can define multiple requests if needed. The template also includes a replace_auth_header field, which replaces the authentication header with a specific token value from the auth_context.
Validation
The template includes a validation section to validate the response of the executed request. It checks the response code to ensure it is within the range of 200 to 300, indicating a successful response. If the response code meets the validation criteria, the template considers the request as valid.
Frequently asked questions
What is the purpose of the "JWT None Algorithm" vulnerability test
How does the test determine if the server is vulnerable to the "JWT None Algorithm" attack
What are the potential impacts of the "JWT None Algorithm" vulnerability
What category and subcategory does the "JWT None Algorithm" vulnerability fall under
Are there any references available for further information on the "JWT None Algorithm" vulnerability
What are the authentication requirements for this vulnerability test
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,
Rippling