As well as allowing HMAC and RSA hashing algorithms for the JWT signature, some parsers also allow hashing to be disabled by specifying "none".
I've never come across this in the wild but there are active libraries which support it and so I always check for it just in case, especially as you do occasionally hear reports of it popping up, sometimes in the worst of places!
In April 2020, researchers found that Auth0 was vulnerable to this attack and wrote it up in the blog post:
JSON Web Token Validation Bypass in Auth0 Authentication API
This lab simulates that vulnerability and can be easily exploited using the JOSEPH Burp extension as mentioned in the blog post.
If you get stuck, or want more information, see my walkthrough.
Back to home
Lab created by Robin Wood - DigiNinja