If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.

• Don’t use none algorithm to sign or verify the validity of a token.
• Don’t use a token without verifying its signature before.

Noncompliant Code Example

jwt-dotnet library:

Dim decodedtoken1 As String = decoder.Decode(token, secret, verify:= false) ' Noncompliant: signature should be verified

Dim decodedtoken2 As String = new JwtBuilder().
    WithSecret(secret).
    Decode(forgedtoken1) ' Noncompliant: signature should be verified

Compliant Solution

jwt-dotnet library:

Dim decodedtoken1 As String = decoder.Decode(forgedtoken1, secret, verify:= true) ' Compliant

Dim decodedtoken2 As String = new JwtBuilder().
    WithSecret(secret).
    MustVerifySignature().
    Decode(token) ' Compliant

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• MITRE, CWE-347 - Improper Verification of Cryptographic Signature