Typescript Alg None Allowed
Description
Detects JSON Web Token (JWT) configurations that allow the 'none' algorithm, which is a critical security vulnerability. When the 'none' algorithm is accepted, attackers can forge valid tokens by removing the signature entirely, completely bypassing the cryptographic verification intended to protect the token integrity.
Detection Strategy
• Identifies calls to JWT library methods 'sign' and 'verify'
• Checks if the JWT configuration allows the 'none' algorithm option
• Reports a vulnerability when JWT methods are called with configurations that don't explicitly forbid the 'none' algorithm
• Examines both token creation (sign) and validation (verify) operations for insecure settings
Vulnerable code example
import jwt from 'jsonwebtoken'
function createToken(data) {
const secret = 'secretkey'
// Vulnerable: allowing 'none' algorithm enables JWT signature bypass attacks
const algorithms = ['none', 'hs256']
return jwt.sign(data, secret, { algorithms })
}✅ Secure code example
import jwt from 'jsonwebtoken'
function createToken(data) {
const secret = process.env.JWT_SECRET // Store secret in environment variable
// Only allow secure algorithm HS256, prevent algorithm bypass attacks
const algorithms = ['HS256']
try {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.