← Back to All Scanners
AuthenticationCritical Severity

JWT None Algorithm Scanner

Tests for JWT 'none' algorithm vulnerability allowing token forgery.

Try This Scanner

What is JWT None Algorithm?

The JWT None Algorithm vulnerability occurs when a JWT implementation accepts tokens with the 'alg' header set to 'none', indicating no signature verification is required. Attackers can forge arbitrary tokens by changing the algorithm to 'none' and removing the signature, bypassing all authentication controls.

Why is This Important?

This vulnerability allows complete authentication bypass. Attackers can impersonate any user, escalate privileges to admin, or access any protected resource simply by modifying a JWT's payload and setting the algorithm to 'none'. It's one of the most severe JWT vulnerabilities because exploitation requires no secret key knowledge.

How It Works

1. Auth Flow Analysis

Maps authentication mechanisms including login, registration, password reset, and session management flows.

2. Security Testing

Tests for authentication bypasses, weak credentials, session flaws, and token vulnerabilities.

3. Access Verification

Validates findings by demonstrating unauthorized access or privilege escalation paths.

Key Capabilities

Comprehensive authentication security testing to protect user accounts and prevent unauthorized access.

  • Complete authentication flow analysis
  • Token and session security validation
  • Password policy and brute-force testing
  • Multi-factor authentication bypass detection
  • OAuth, SAML, and JWT security assessment

Frequently Asked Questions

How does the none algorithm attack work?

Attackers take a valid JWT, decode the header, change 'alg' to 'none', modify the payload (e.g., change user ID or role), remove the signature portion, and submit the modified token. Vulnerable servers accept it because 'none' means no signature verification.

Why would a JWT library support 'none' algorithm?

The 'none' algorithm is part of the JWT specification for specific use cases where tokens are already secured by other means (e.g., encrypted transport). However, most applications shouldn't accept it. Many libraries enabled it by default historically.

What variations of this attack exist?

Attackers try: 'none', 'None', 'NONE', 'nOnE', and other case variations. Some libraries use case-insensitive matching. There's also the 'empty signature' variant where 'alg' is normal but the signature is stripped or empty.

How do I prevent the none algorithm attack?

Explicitly configure your JWT library to reject the 'none' algorithm, use an allowlist of accepted algorithms (e.g., only RS256), validate the algorithm in the token matches your expected algorithm, and keep JWT libraries updated.

Related Scanners

JWT Algorithm ConfusionCritical
Learn more →
JWT Weak SecretHigh
Learn more →
JWT Key InjectionCritical
Learn more →
JWT Expiration BypassHigh
Learn more →

Ready to secure your application?

Start testing for jwt none algorithm vulnerabilities today.

Get Started Free