Skip to content

Commit d65b7be

Browse files
toufik-airanetoufik-airane
committed
rewrite help
1 parent bb7ba50 commit d65b7be

File tree

1 file changed

+12
-21
lines changed

1 file changed

+12
-21
lines changed

javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help

Lines changed: 12 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,30 @@
1-
<!DOCTYPE qhelp PUBLIC
2-
"-//Semmle//qhelp//EN"
3-
"qhelp.dtd">
4-
<qhelp>
1+
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> <qhelp>
52

63
<overview>
4+
<p>Applications decoding JSON Web Token (JWT) may be misconfigured due to the none algorithm.</p>
5+
<p>The none algorithm is selected by calling the <code>verify()</code> function with a falsy value
6+
instead of a cryptographic secret or key. The none algorithm disables the integrity enforcement of
7+
a JWT payload and may allow a malicious actor to make any desired changes to a JWT payload leading
8+
to critical security issues like privilege escalation.</p>
79

8-
<p>The featured CodeQL query warns using of none algorithm in verify() functions imported from jsonwebtoken package developed by the auth0 organization.</p>
9-
10-
<p>Backend JavaScript applications handling JWT could be affected by the none algorithm misconfiguration due to misusing verify() functions imported by jsonwebtoken package.
11-
Providing an empty string or a false value, instead of a secret or a key, enable the none algorithm to decode JWT payloads without signature verification.
12-
Misconfigured backend JavaScript on a production environment could be impacted by exploitation violating the integration of a JWT.</p>
1310
</overview>
1411

1512
<recommendation>
16-
<p>
17-
verify() functions should use a secret or a key to decode JWT payloads.
18-
</p>
19-
<p>
20-
Use a a secret or a key to decode JWT payloads.
21-
</p>
22-
<p>
23-
</p>
13+
<p>Use a secret or a key to decode JWT payloads when calling the <code>verify()</code> function.</p>
2414

2515
</recommendation>
2616

2717
<example>
28-
<p>The example starts with a secret signing an object using the HS256 algorithm.
29-
In the second case an empty string is provided, then an undefined value, and finally a false value.
30-
These three misconfigued verify() functions is detected to be potentially a cybersecurity vulnerability.
31-
</p>
18+
<p>In the example, the first case is signing an object with a secret and a HS256 algorithm. In the
19+
second case, an empty string is provided, then an undefined value, and finally a false value. These
20+
three misconfigured calls to <code>jwt.verify()</code> can cause vulnerabilities.</p>
21+
3222
<sample src="examples/JWTMissingSecretOrPublicKeyVerification.js" />
3323

3424
</example>
3525

3626
<references>
3727
<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
28+
3829
</references>
3930
</qhelp>

0 commit comments

Comments
 (0)