JWT Scan Rule

This detector identifies common vulnerabilities in JSON Web Token (JWT) implementations, including weak or missing signature validation, acceptance of the "none" algorithm, weak cryptographic keys, and improper token validation logic that could allow token forgery or manipulation.

JWT vulnerabilities allow attackers to forge authentication tokens and impersonate legitimate users, including privileged accounts. By exploiting weak signature validation, an attacker can modify token claims such as user IDs or roles without detection. Common attack vectors include algorithm confusion attacks (switching from RS256 to HS256), accepting unsigned tokens with "alg: none", or cracking weak signing keys through brute force.

Always verify JWT signatures using strong cryptographic algorithms (RS256 or ES256 for asymmetric, HS256 with strong keys for symmetric). Reject tokens with "alg: none" explicitly. Use well-tested JWT libraries and keep them updated. Implement proper key management with rotation policies. Validate all claims including issuer, audience, and expiration. Consider using short-lived access tokens with refresh token mechanisms.