Use of a Broken or Risky Cryptographic Algorithm
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | High |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Using the ’none’ algorithm when verifying JWT tokens means the signature isn’t checked, allowing anyone to forge valid tokens. This makes it easy for attackers to bypass authentication or authorization checks.
Impact#
If exploited, attackers could create their own JWT tokens and gain unauthorized access to protected resources, impersonate users, or escalate privileges within your application. This can lead to data breaches, loss of sensitive information, and compromise of application security.