search cancel

Gateway allows JWT tampering by setting algorithm inside JWT header


Article ID: 240847


Updated On:


CA API Gateway


Our security testers identified that the "none" algorithm is accepted in the JWT header, meaning that a signature did not have to be provided and verified by the server
This means that a potential attacker can change the JWT payload, which may result in unfavorable actions on the API which is protected by the JWT Token

Steps to reproduce the issue

1- get a token for <domainname>
2- use to modify the JWT and set the algorithm as none (as below)

initial header 
  "typ": "JWT",
  "alg": "RS256"

Modified header

  "typ": "JWT",
  "alg": "none"

3- Use the modified token to invoke the API



Customer was using a custom JWK token


Release : 10.0

Component : API GATEWAY


Detecting JWT TOKEN Tampering

Non-custom tokens (default) detect tampering, this is done with the Decode Json Web Token assertion validating the signature of an id_token.

When using custom TOKEN the Decode JSon Web Token assertion does not pick up tampering.

For this see the docs link for validating Custom id_tokens