Findings

Non-standard JSON Web Token

Updated: June 19, 2025

findings design based findings api finding

Description

Severity: Low

An endpoint is using JSON Web Tokens (JWT) that do not adhere to best current practices detailed in RFC8725.

RFC8725 addresses various vulnerabilities and common pitfalls associated with the use of JWTs, and by declaring support for it, developers signal that they are aware of and have mitigated these risks. This not only enhances the trustworthiness of the API but also provides clarity to developers integrating with the API about the security measures in place. RFC8725, titled "Best Current Practices for JSON Web Token (JWT) Security," highlights the importance of using appropriate cryptographic algorithms, avoiding weak keys, and ensuring that tokens are not susceptible to replay attacks. It also emphasizes the need to validate the structure and claims of a JWT before processing it. By following the practices outlined in RFC8725, developers can mitigate potential security risks associated with JWTs and ensure that they are used in a secure and reliable manner.

This rule applies at the API Specification level (OAS/Swagger).

Example Attack

Signature Bypass: Weaknesses or flaws in the signature verification process of insecure JWT implementations can be exploited by attackers. They may create tampered or forged JWTs with manipulated signatures, aiming to bypass authentication checks or gain unauthorized access to protected resources.

Remediation

Ensure endpoints using JWT explicitly declare support for RFC8725 in the description. RFC 8725 is the most current best practice of JWT use as published by the Internet Engineering Task Force (https://datatracker.ietf.org/doc/html/rfc8725)

Security Frameworks

OWASP API 2023

API2:2023 Broken Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.

OWASP API 2019

API2:2019 Broken User Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising the system's ability to identify the client or user, compromises API security overall.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Missing retry header
Next (Findings - Design based findings)
Numeric ID