Home > database >  Able to access an API without having any values in Header part of JWT Access Token
Able to access an API without having any values in Header part of JWT Access Token

Time:11-24

I am testing a web application that uses the OAuth mechanism to authorize and access the APIs. The OAuth uses RS256 algorithm to sign the tokens. I noticed that I am still able to access the API when I pass the JWT token with null 'Header' value and without 'Verify Signature' section in JWT token.

Example: Orginal JWT Token - <header>.<payload>.<signature>
Modified JWT Token - .<payload>

As per the standard security best practices, the header should not accept "none" algorithm and the recommended algorithm should be either HS256 or RS256. But in the above case, the APIs are successfully authorized with null header value. I even tried with "none" algorithm in the header and still the APIs are accepted.

Is it a security issue as the algorithm is not validated in the API? May I know how an attacker can use this scenario to exploit the API.

CodePudding user response:

If you're changing the header part or signature part (e.g. not sending them), and the API still accepts the token, then it means that the API does not validate the signature at all. It means that you can put anything in the payload, encode in base64 and the API will accept it as a valid token.

It's not a "security issue", it's just plain wrong implementation.

Page link:https//www.codepudding.com/database/201901.html

Prev:Update res users form based on default company in odoo14
Next:Is CSRF middleware needed if HTTPOnly cookie is used? And should it be session-based?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding