/Code Review/JWT None Algorithm Attack

JWT None Algorithm Attack

JWT verification accepts "none" algorithm, allowing tokens to be forged.

CRITICALHard

Vulnerable Codejavascript

1const jwt = require('jsonwebtoken');
2
3function verifyToken(token) {
4    const decoded = jwt.decode(token, { complete: true });
5    const algorithm = decoded.header.alg;
6    
7    return jwt.verify(token, secret, { algorithms: [algorithm] });
8}

Understanding the Issue

The application trusts the algorithm specified in the JWT header. An attacker can change the algorithm to "none" and remove the signature, creating a valid-looking token that bypasses verification entirely.

Algorithm None Attack

Attacker modifies JWT header to bypass signature verification

Malicious Input

Original token:
eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjV9.signature

Forged token (alg: none):
eyJhbGciOiJub25lIn0.eyJ1c2VySWQiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.

Impact

Decoded forged token:
Header: {"alg":"none"}
Payload: {"userId":"admin","role":"admin"}
Signature: (empty)

✓ No signature to verify
✓ Server accepts attacker as admin
✓ Complete authentication bypass

Technical Details

Vulnerability Type: Broken Authentication
Severity: CRITICAL
Language: Javascript
CWE: CWE-327
OWASP: A07:2021 - Identification Failures

JWT None Algorithm Attack

Understanding the Issue

How Attackers Exploit This

Algorithm None Attack

Finding the Vulnerability(3 hints)

Technical Details

JWT None Algorithm Attack

Understanding the Issue

How Attackers Exploit This

Algorithm None Attack

Finding the Vulnerability(3 hints)

Technical Details