I am testing a web application that uses the OAuth mechanism to authorize and access the APIs. The OAuth uses RS256 algorithm to sign the tokens. I noticed that I am still able to access the API when I pass the JWT token with null 'Header' value and without 'Verify Signature' section in JWT token.
Example:
Orginal JWT Token - <header>.<payload>.<signature>
Modified JWT Token - .<payload>
As per the standard security best practices, the header should not accept "none" algorithm and the recommended algorithm should be either HS256 or RS256. But in the above case, the APIs are successfully authorized with null header value. I even tried with "none" algorithm in the header and still the APIs are accepted.
Is it a security issue as the algorithm is not validated in the API? May I know how an attacker can use this scenario to exploit the API.
CodePudding user response:
If you're changing the header part or signature part (e.g. not sending them), and the API still accepts the token, then it means that the API does not validate the signature at all. It means that you can put anything in the payload, encode in base64 and the API will accept it as a valid token.
It's not a "security issue", it's just plain wrong implementation.