Kotlin None Alg Jwt Signature Disabled
Description
Detects when JWT tokens are configured to accept the 'none' algorithm in Kotlin applications using the Auth0 JWT library. This vulnerability allows attackers to bypass signature verification and forge valid JWT tokens, potentially leading to authentication bypasses.
Detection Strategy
• Check if the Auth0 JWT library (com.auth0.jwt.JWT or com.auth0) is imported in the code
• Look for JWT token creation using JWT.create() that ends with a sign() method call
• Verify if the signing algorithm parameter accepts or defaults to the unsafe 'none' algorithm
• Report vulnerability when JWT tokens can be created without proper signature verification
Vulnerable code example
import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm
fun createToken(): String {
// VULNERABLE: Using 'none' algorithm allows attackers to forge tokens without signature
val algorithm = Algorithm.none()
return JWT.create()
.withSubject("user")...✅ Secure code example
import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm
import com.auth0.jwt.exceptions.JWTCreationException
fun createToken(secretKey: String): String {
try {
// SECURE: Using HMAC256 with proper secret key instead of 'none' algorithm
val algorithm = Algorithm.HMAC256(secretKey)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.