Typescript Alg None Allowed Jose
Description
Detects JWT implementations vulnerable to algorithm switching attacks that allow the 'none' algorithm. If a JWT library accepts 'none' as the signing algorithm, attackers can forge valid tokens by stripping the signature, potentially bypassing authentication.
Detection Strategy
• Identifies imports of the 'jose' JWT library in the codebase
• Searches for JWT token verification code that could accept 'none' as an algorithm choice
• Reports vulnerability when JWT verification does not explicitly blacklist or reject the 'none' algorithm option
• Focuses on jose library usage patterns that may enable algorithm switching attacks
Vulnerable code example
import { JWT, JWK } from "jose";
// VULNERABLE: Accepts tokens with 'none' algorithm, allowing signature bypass
const token = JWT.verify("any-token", JWK.None);✅ Secure code example
import { JWT } from "jose";
// Create a proper secret key
const secret = new TextEncoder().encode("your-secret-key");
// Secure: Explicitly specify allowed algorithms to prevent algorithm confusion attacks
const token = JWT.verify(receivedToken, secret, {
algorithms: ["HS256"] // Only allow specific secure algorithms...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.