Java None Alg Jwt Signature Disabled
Description
Detects potential JWT signature bypass vulnerabilities in Java applications using Auth0's JWT library. This occurs when the JWT verification is misconfigured to potentially accept tokens signed with the 'none' algorithm, which could allow attackers to forge valid tokens without knowing the signing key.
Detection Strategy
• Check if the Auth0 JWT library (com.auth0.jwt.JWT) is imported in the codebase
• Look for JWT sign method calls in the code
• Analyze the JWT configuration to determine if proper signature verification is enforced
• Report a vulnerability if JWT signing is configured in a way that could accept 'none' as an algorithm
Vulnerable code example
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
public class VulnerableJWT {
public static String createToken() {
String secretKey = "the_super_secret_key"; // Vulnerable: Hardcoded secret key
Algorithm algorithm = Algorithm.HMAC256(secretKey);
return JWT.create()...✅ Secure code example
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import java.util.Date;
public class SecureJWT {
public static String createToken() throws JWTCreationException {
// Get secret from environment variable instead of hardcoding...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.