SYM_JAVA_0156 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of a Broken or Risky Cryptographic Algorithm
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Using the 'none' algorithm when signing JWT tokens means the token is not actually signed or verified, allowing anyone to create or modify tokens without detection. This practice leaves your authentication or authorization system open to forgery.
Impact
If exploited, attackers can generate fake JWT tokens that will be accepted as valid by your application, potentially granting unauthorized access to sensitive data and functionality. This could lead to account takeover, privilege escalation, or full compromise of protected resources.