Insecure 'none' algorithm in JWT

Description

The 'none' algorithm disables cryptographic integrity in JWT tokens, allowing attackers to forge them. Always use a secure algorithm like 'HS256'.

Examples

Insecure Code

java

Jwts.builder().signWith(SignatureAlgorithm.none);

Secure Code

java

Jwts.builder().signWith(SignatureAlgorithm.HS256);

Remediation

Replace the 'none' algorithm with a secure one, such as 'HS256', when creating or verifying JWT tokens.

Rule Details

Field	Value
ID	CODE-0649
Category	Crypto
Severity	CRITICAL
CWE	CWE-327
Confidence	LOW
Impact	MEDIUM
Likelihood	LOW
Exploitability	EASY
Tags	jwt, crypto, insecure algorithm
OWASP	A02:2021-Cryptographic Failures, A3:2017-Sensitive Data Exposure

References

https://owasp.org/Top10/A02_2021-Cryptographic_Failures
https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insecure 'none' algorithm in JWT

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Insecure 'none' algorithm in JWT ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Insecure 'none' algorithm in JWT

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References