| Details | |
|---|---|
| Alert ID | 200003-2 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 345 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-345 OWASP_2021_A07 OWASP_2025_A07 TOOL_PTK |
Summary
This attack occurs when an attacker alters the token and changes the hashing algorithm to indicate, through the none keyword, that the integrity of the token has already been verified
Generated by OWASP PTK DAST Module
Solution
• Use a secure and up to date library to handle JWTs. • Ensure that the signature is valid, and that it is using the expected algorithm. • Use a strong HMAC key or a unique private key to sign them. • Ensure that there is no sensitive information exposed in the payload. • Ensure that JWTs are securely stored and transmitted. • See the OWASP JSON Web Tokens Cheat Sheet.Other Info
References
- https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/
- https://cwe.mitre.org/data/definitions/345.html