If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user
identities.
- Don’t use
none
algorithm to sign or verify the validity of a token.
- Don’t use a token without verifying its signature before.
Noncompliant Code Example
jwt-dotnet library:
Dim decodedtoken1 As String = decoder.Decode(token, secret, verify:= false) ' Noncompliant: signature should be verified
Dim decodedtoken2 As String = new JwtBuilder().
WithSecret(secret).
Decode(forgedtoken1) ' Noncompliant: signature should be verified
Compliant Solution
jwt-dotnet library:
Dim decodedtoken1 As String = decoder.Decode(forgedtoken1, secret, verify:= true) ' Compliant
Dim decodedtoken2 As String = new JwtBuilder().
WithSecret(secret).
MustVerifySignature().
Decode(token) ' Compliant
See