Javascript Jwt None Algorithm
Description
Detects potential JWT token forgery vulnerabilities where applications using the 'jose' library might accept tokens signed with the 'none' algorithm. This security flaw could allow attackers to forge valid JWT tokens without knowing the signature key, potentially leading to authentication bypasses.
Detection Strategy
• Checks if the JavaScript/Node.js project imports or uses the 'jose' JWT library
• Searches for JWT verification or validation functions that could accept tokens with 'none' as the signing algorithm
• Reports a vulnerability when token verification code is found that doesn't explicitly reject the 'none' algorithm
Vulnerable code example
const { JWT, JWK } = require('jose')
// VULNERABLE: Accepts 'none' algorithm tokens, bypassing signature verification
const decoded = JWT.verify('any.token.here', JWK.None)
console.log(decoded)✅ Secure code example
const { JWT } = require('jose')
// Create a secure secret key
const secret = new TextEncoder().encode('your-strong-secret')
// Verify JWT with explicit algorithm(s) to prevent algorithm confusion attacks
const decoded = JWT.verify(
'any.token.here', ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.