ajinabraham.njsscan.jwt_none_algorithm.node_jwt_none_algorithm
ajinabrahamAuthor
1,129
Download Count*
License
Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
Run Locally
Run in CI
Defintion
rules:
- id: node_jwt_none_algorithm
patterns:
- pattern-either:
- pattern: |
$JWT = require("jsonwebtoken")
...
$T = $JWT.verify($P, $X, {algorithms:[...,'none',...]},...)
- pattern: |
$JWT = require("jsonwebtoken")
...
$JWT.verify($P, $X, {algorithms:[...,'none',...]},...)
- pattern: |
$JOSE = require("jose")
...
var { JWK, JWT } = $JOSE;
...
$T = JWT.verify($P, JWK.None,...)
- pattern: |
$JOSE = require("jose")
...
var { JWK, JWT } = $JOSE;
...
JWT.verify($P, JWK.None,...)
message: Algorithm is set to none for JWT token. This can nullify the integrity
of JWT signature.
languages:
- javascript
severity: ERROR
metadata:
owasp-web: a9
cwe: cwe-327
license: LGPL-3.0-or-later
Short Link: https://sg.run/W85o