Use of a Broken or Risky Cryptographic Algorithm
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The code accepts JWT tokens using the ’none’ algorithm, which means tokens are not cryptographically verified for integrity or authenticity. This allows anyone to craft and use fake tokens that the application will accept as valid.
Impact#
If exploited, an attacker can forge their own JWT tokens and gain unauthorized access to user accounts or sensitive functionality, bypass authentication, and compromise the security of the entire application. This can lead to data breaches and loss of trust.