Algorithm None Attack

Medium+100 XPA07:2021 Identification and Authentication FailuresCWE-347

JWTAuthenticationAlgorithm Confusion

Scenario

JWT supports an 'alg: none' mode where no signature is required. An attacker can craft a token with any claims, set alg to 'none', and skip the signature entirely.

Your header validation function returns the algorithm without rejecting the 'none' value.

An attacker can forge admin tokens with zero cryptographic protection.

The alg:none vulnerability was present in multiple major JWT libraries (CVE-2015-9235 and similar). It completely bypasses signature verification, letting attackers forge arbitrary tokens.

Your Tasks

Inspect validateTokenHeader — it returns {algorithm: header.alg} without rejecting 'none'.
Fix it: throw 'Algorithm none is not allowed' if header.alg is 'none', 'NONE', or 'None' (case variants).
All other algorithms (HS256, RS256, ES256, etc.) should be accepted.

Examples

Example 1 — Algorithm none passes through (bug)

validateTokenHeader({alg:'none',typ:'JWT'})
// Returns {algorithm:'none'} — should have thrown!

Example 2 — Valid algorithm is accepted

validateTokenHeader({alg:'HS256',typ:'JWT'})
// Returns {algorithm:'HS256'}

Constraints

›header is a pre-parsed object with alg (string) and typ (string)
›Reject exactly three string values: 'none', 'NONE', 'None'
›Throw exactly 'Algorithm none is not allowed' — no other message

Hint

References

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/https://datatracker.ietf.org/doc/html/rfc7518#section-3.6 https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run