JWT missing secret or public key verification¶
ID: js/jwt-missing-verification
Kind: problem
Security severity: 7.0
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-347
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Applications decoding JSON Web Tokens (JWT) may be misconfigured due to the None
algorithm.
The None
algorithm is selected by calling the verify()
function with a falsy value instead of a cryptographic secret or key. The None
algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.
Recommendation¶
Calls to verify()
functions should use a cryptographic secret or key to decode JWT payloads.
Example¶
In the example below, false
is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.
const jwt = require("jsonwebtoken");
const secret = "my-secret-key";
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" })
jwt.verify(token, false, { algorithms: ["HS256", "none"] })
The following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.
const jwt = require("jsonwebtoken");
const secret = "my-secret-key";
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" })
jwt.verify(token, secret, { algorithms: ["HS256", "none"] })
References¶
Auth0 Blog: Meet the “None” Algorithm.
Common Weakness Enumeration: CWE-347.