The "None" Algorithm Attack
Some JWT libraries mistakenly accept tokens where the header specifies
{"alg": "none"}, bypassing signature verification entirely.
1. Decode Target Token
Algorithm Confusion Attack
If a server expects RS256 (asymmetric) but receives HS256 (symmetric), it might use the public key as the symmetric secret to verify the signature.
Obtain Public Key
Modify Header
Change RS256 to HS256.
Sign with Public Key
Signature Stripping
Simply removing the signature portion of the JWT. Poorly implemented backends might not throw an error if the signature string is missing.
JWT Security Best Practices
-
✓
Enforce Algorithm Allowed Lists
Never rely solely on the
algheader. Explicitly define which algorithms your backend accepts (e.g., onlyRS256). -
✓
Reject "none" algorithm
Explicitly reject any token specifying the "none" algorithm unless explicitly configured for development/testing.
-
✓
Validate All Claims
Always check `exp` (expiration), `nbf` (not before), `iss` (issuer), and `aud` (audience).
-
✓
Use Strong Secrets
For HS256, use a long, cryptographically secure random sequence. Do not use dictionary words.
Test Your Knowledge
Ready to see if you can spot JWT vulnerabilities?