During a web-app assessment, you intercept a bearer JWT taken from an Authorization header. You change the token's alg value from HS256 to none, delete the signature segment, and resend the request. The application still recognizes you as an administrator. Which specific session-management weakness should you document in your report?
The application neglects to enforce the exp claim, letting expired tokens remain valid
The implementation accepts the none algorithm, bypassing signature verification altogether
The server incorrectly treats an RS256 public key as an HS256 shared secret during verification
The JWT uses a weak shared secret that can be brute-forced offline
Because the server accepts a token whose header sets alg to none and whose signature segment is missing, it is skipping cryptographic verification entirely. This is the classic none-algorithm flaw in JWT handling, allowing an attacker to modify claims and impersonate any user. Issues such as failing to check token expiration, using a weak shared secret, or confusing RS256 and HS256 involve different mistakes: they still require a signature to be present and validated, so they do not explain why an unsigned token is accepted here.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the none algorithm in JWT?
Open an interactive chat with Bash
Why is cryptographic signature verification important in JWTs?
Open an interactive chat with Bash
How can developers prevent the none-algorithm vulnerability in JWT handling?
Open an interactive chat with Bash
What is a Bearer JWT?
Open an interactive chat with Bash
What vulnerabilities exist with the 'none' algorithm in JWTs?
Open an interactive chat with Bash
How should JWTs be secured against signature bypass attacks?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .