JWT None alternative + MS15-051

2026-01-07 19:00:36 -08:00 · 2019-08-22 23:03:48 +02:00
parent e0220d1f17
commit 6c161f26b2
2 changed files with 24 additions and 0 deletions
--- a/Token/README.md
+++ b/Token/README.md
@@ -72,6 +72,12 @@ JWT Encoder – Decoder: `http://jsonwebtoken.io`

 JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.

+None algorithm variants:
+* none 
+* None
+* NONE
+* nOnE
+
 To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT.

 However, this won't work unless you **remove** the signature