Javascript Allow None Algorithm
Description
Detects potentially insecure JWT token handling in JavaScript code where the 'none' algorithm is not explicitly prohibited. This vulnerability could allow attackers to bypass token signature verification by modifying the algorithm header to 'none', effectively forging valid tokens without knowing the secret key.
Detection Strategy
• Identifies calls to JWT sign or verify methods in JavaScript code
• Checks if the JWT configuration allows the 'none' algorithm option
• Reports a vulnerability when JWT operations don't explicitly disable or reject the 'none' algorithm
• Focuses on the 'sign' and 'verify' methods of JWT libraries
Vulnerable code example
const jwt = require('jsonwebtoken');
function unsafeJWT() {
const payload = { user: 'admin' };
const key = 'secret123';
const sign_config = { algorithm: 'none' }; // Vulnerable: allows unsigned tokens
let token = jwt.sign(payload, key, sign_config);
...✅ Secure code example
const jwt = require('jsonwebtoken');
function safeJWT() {
const payload = { user: 'admin' };
const key = 'secret123';
// Use strong algorithm HS256 explicitly for signing
const sign_config = { algorithm: 'HS256' };
let token = jwt.sign(payload, key, sign_config);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.