Qualys Enhances Web App Scanning with New JWT Algorithm Checks
Qualys Web Application Scanning (WAS) has enhanced its security capabilities with two new QIDs. These identify algorithms used in JSON Web Tokens (JWTs), a common method for user identification in REST APIs and Single Page Web Applications (SPAs).
JWTs consist of three parts: Header, Payload, and Signature. The Header specifies the token type and algorithm, such as HMAC with SHA-256 (HS256) or RSA with SHA-256. The Payload, or Claims, holds user-related information.
Qualys WAS is introducing QID 150571 to detect tokens using the 'none' algorithm. This lacks a signature, making it easy to modify tokens. QID 150572, meanwhile, targets tokens using the HS256 algorithm. While HS256 is stronger than 'none', anyone knowing the secret can still create or validate a token.
JWTs are stateless and sent with every request requiring identification, typically in the Authorization header or as a URL parameter. Qualys, the manufacturer of WAS, aims to help organisations identify and mitigate potential vulnerabilities in their JWT usage.
With these new QIDs, Qualys Web Application Scanning can now detect vulnerabilities related to algorithms used in JWTs. This includes the weak 'none' algorithm and the HS256 algorithm, which, despite being stronger, still poses risks. By identifying these issues, Qualys enables organisations to bolster their security measures and protect against potential token manipulation.
