.
characters. Each part contains a base64url-encoded
value. The number of parts in the JWT is dependent upon the representation of the resulting JWS using the JWS compact serialization or JWE using the JWE compact serialization.JWE Protected Header
- JSON object that contains the header parameters that are integrity protected by the authenticated encryption operation. These parameters apply to all recipients of the JWE. For the JWE compact serialization, this comprises the entire JOSE header. For the JWE JSON serialization, this is one component of the JOSE header.JWE Shared Unprotected Header
- JSON object that contains the header parameters that apply to all recipients of the JWE that are not integrity protected. This can only be present when using the JWE JSON serialization.JWE Per-Recipient Unprotected Header
- JSON object that contains header parameters that apply to a single recipient of the JWE. These header parameter values are not integrity protected. This can only be present when using the JWE JSON serialization.none
algorithm allows you to use JWT tokens without signature. Note that this is one of two algorithms that must be implemented according to the specification. The none
algorithm may be supported in a production environment, resulting in a vulnerability.none
and send the JWT token without (or with) the signature to an API endpoint. If the none
algorithm is supported, the JWT token will be valid.none
algorithm variants:HS256
.kid
header parameter is used by the relying application to perform key lookup.kid
parameter can be passed to the system-like function, that will lead to the command injection:kid
parameter specifies the path to the key in a filesystem, which is used to verify the token. If an attacker enters the path to a file with predictable content in the kid
parameter, they will be able to generate a forged token since the secret key is already known. One such file is the /proc/sys/kernel/randomize_va_space
, which is used in Linux systems and has predictable values like 0,1,2
. An attacker can create a malicious token using secret values 0,1,2
and send it to the server.kid
parameter, it might be vulnerable to SQL injection.iss
claim).sub
claim) corresponds to a valid subject and/or issuer/subject pair at the application (this may include confirming that the issuer is trusted by the application).aud
claim is not used (or is used incorrectly) to determine whether the JWT is being used by an intended party or was substituted by an attacker at an unintended party when the same issuer can issue JWTs that are intended for use by more than one relying party or application.