Insecure JWT Algorithm
Description
Using 'none' as the algorithm for jsonwebtoken can directly impact the integrity of the information transfer through the JWT token. Consider using a secure algorithm to sign your JWT token such as HMAC or RSA.
Examples
Insecure Code
javascript
let token = jwt.sign({user:"user1"}, 'secret', {algorithm: 'none'});Secure Code
javascript
let token = jwt.sign({user:"user1"}, 'secret', {algorithm: 'HS256'});Remediation
Replace 'none' with a secure algorithm like 'HS256' when signing JWT tokens.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0407 |
| Category | Crypto |
| Severity | CRITICAL |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | jwt, crypto |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |