0

I'm using flask-jwt-extended library for my authentication, everything works but I want to check if someone sent a manipulated JWT token with ALG = none, since that's a known vulnerable point that's used to deceive the server.

I looked into the documentation but I didn't find which option that let's me check what's being received in alg on all requests.

Thanks.

Hi There
  • 167
  • 1
  • 5
  • 12

1 Answers1

1

Flask-JWT-Extended already handles this for you. It checks each token against the expected algorightm as defined in app.config['JWT_DECODE_ALGORITHMS'] or app.config['JWT_ALGORITHM'] here (https://github.com/vimalloc/flask-jwt-extended/blob/1fec4dc22fe97fd3bf579548079543a8c0b61e3e/flask_jwt_extended/utils.py#L111) precicesly to avoid these kind of attacks.

vimalloc
  • 3,869
  • 4
  • 32
  • 45
  • Hey! Thanks for the clarification. But if I wanted to log the attempted requests sent with a none alg (just a simple print to console for now), how would I go around that? Do I have to change in the source? Thanks! – Hi There Nov 12 '20 at 14:36
  • Anything with `none` will be kicked out of a jwt protected endpoint (`jwt_required`, `jwt_optional`, etc). If you want to log this you will need to manually grab the encoded token from headers/cookies/whatver and manually pare the alg out. Probably in an `@app.before_request`. – vimalloc Nov 12 '20 at 18:12