JWT implementations might be exposed to different attacks, one of them is the alg:none attack (see more details here).
I'm using spring-security-jwt dependency in my pom.xml file, and was not able to find out whether this implementation deals with the alg:none attack.
Is this attack mitigated by the spring security JWT implementation?
If you are using spring-security-oauth/spring-security-jwt then yes, This attack is mitigated. As per the link you have shared, one way to mitigate this attack is by considering a JWT token with header with "alg":"none" as invalid or not rely on the alg header when selecting the algorithm.
In the source code for spring-security-jwt file JwtHelper in the decode method does not rely on the alg header when selecting the algorithm.
public static Jwt decode(String token) {
int firstPeriod = token.indexOf('.');
int lastPeriod = token.lastIndexOf('.');
if (firstPeriod <= 0 || lastPeriod <= firstPeriod) {
throw new IllegalArgumentException("JWT must have 3 tokens");
}
CharBuffer buffer = CharBuffer.wrap(token, 0, firstPeriod);
// TODO: Use a Reader which supports CharBuffer
JwtHeader header = JwtHeaderHelper.create(buffer.toString());
buffer.limit(lastPeriod).position(firstPeriod + 1);
byte[] claims = b64UrlDecode(buffer);
boolean emptyCrypto = lastPeriod == token.length() - 1;
byte[] crypto;
if (emptyCrypto) {
if (!"none".equals(header.parameters.alg)) {
throw new IllegalArgumentException(
"Signed or encrypted token must have non-empty crypto segment");
}
crypto = new byte[0];
}
else {
buffer.limit(token.length()).position(lastPeriod + 1);
crypto = b64UrlDecode(buffer);
}
return new JwtImpl(header, claims, crypto);
}
There is no document or compilation of vulnerabilities in spring-security-jwt but you can check the issues section under spring-security-jwt and report any vulnerabilities you think which needs to be patched.
