JSON Web Token (JWT) not signed with a cipher algorithm JS-S1008

When a JSON Web Token (JWT) is created, it needs to be signed by the issuer using a strong cipher algorithm. Without a signature, the authenticity and integrity of the token cannot be verified.

The signature is created using the header and payload segments, a signing algorithm, and a secret or public key. Any changes to the JWT should render the signature invalid. This allows the recipient of the token to verify that the token received has all of the information encoded by the issuer in its original form, unaltered.

This issue is raised when the sign function of jsonwebtoken package is used to create a JWT with none as the algorithm value.

Bad Practice

const jwt = require('jsonwebtoken');

// The JWT is not signed when `algorithm` is assigned with value `none`
const token = jwt.sign({ user: 'xyz' }, key, { algorithm: 'none' });

Recommended

const jwt = require('jsonwebtoken');

// Approach 1: By default the token will be signed using `HS256` algorithm when `algorithm` is not assigned any value
const token = jwt.sign({ user: 'xyz' }, key);

// Approach 2: Explicitly use a supported signing algorithm to sign the token
const token = jwt.sign({ user: 'xyz' }, key, { algorithm: 'HS256' });

References

• OWASP - A2:2021
• OWASP - A3:2017
• Testing JSON Web Tokens