Endpoint accepts unsigned JWT

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

This publicly exposed API endpoint accepts unsigned JWTs. The JWT specification allows for unsecured JWTs where the algorithm is set to “none” and no signature is provided.

When an endpoint accepts JWTs with the “none” algorithm, it means that:

  1. No cryptographic signature verification is performed
  2. The JWT payload is trusted without any authentication of its integrity
  3. Anyone can create a valid JWT by simply setting the algorithm to “none” and removing the signature

Remediation

To fix this vulnerability, reject unsigned JWTs: Configure your JWT validation library to explicitly reject JWTs with "alg": "none". If that’s not possible, manually review the parsed JWT and reject it if the algorithm is none.