java.java-jwt.security.jwt-none-alg.java-jwt-none-alg

profile photo of returntocorpreturntocorp
Author
6,345
Download Count*
LGPL Commons Clause
License

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: java-jwt-none-alg
    message: Detected use of the 'none' algorithm in a JWT token. The 'none'
      algorithm assumes the integrity of the token has already been verified.
      This would allow a malicious actor to forge a JWT token that will
      automatically be verified. Do not explicitly use the 'none' algorithm.
      Instead, use an algorithm such as 'HS256'.
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      confidence: HIGH
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    severity: ERROR
    pattern-either:
      - pattern: |
          $JWT.sign(com.auth0.jwt.algorithms.Algorithm.none());
      - pattern: |
          $NONE = com.auth0.jwt.algorithms.Algorithm.none();
          ...
          $JWT.sign($NONE);
      - pattern: |-
          class $CLASS {
            ...
            $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none();
            ...
            $RETURNTYPE $FUNC (...) {
              ...
              $JWT.sign($NONE);
              ...
            }
            ...
          }

Examples

jwt-none-alg.java

package jwt_test.jwt_test_1;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;

public class App
{

    private static void bad1() {
        try {
            // ruleid: java-jwt-none-alg
            Algorithm algorithm = Algorithm.none();
            String token = JWT.create()
                .withIssuer("auth0")
                .sign(algorithm);
        } catch (JWTCreationException exception){
            //Invalid Signing configuration / Couldn't convert Claims.
        }
    }

    private static void bad2() {
        try {
            // ruleid: java-jwt-none-alg
            String token = JWT.create()
                .withIssuer("auth0")
                .sign(Algorithm.none());
        } catch (JWTCreationException exception){
            //Invalid Signing configuration / Couldn't convert Claims.
        }
    }

    private static void ok1(String secretKey) {
        try {
            // ok: java-jwt-none-alg
            Algorithm algorithm = Algorithm.HMAC256(secretKey);
            String token = JWT.create()
                .withIssuer("auth0")
                .sign(algorithm);
        } catch (JWTCreationException exception){
            //Invalid Signing configuration / Couldn't convert Claims.
        }
    }

    public static void main( String[] args )
    {
        bad1();
        bad2();
        ok1(args[0]);
    }
}