question

Kris121 avatar image
0 Votes"
Kris121 asked Kris121 edited

Missing protection claims: jti or nonce

Our DAST tool flags the JWT token as vulnerable because of Missing protection claims: jti or nonce. What is the remediation for this. How to add jti or nonce in JWT token.

azure-ad-authentication
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Siva-9848 , In the ID token provided by Azure AD which uses JWT formatting, nonce is always there and jti is optional . However , it would be great if you could provide the details as to how the DAST application checks the same and what oAuth flow was used to obtain the token ?


0 Votes 0 ·

Hi Shashi,

These are API Access Tokens either obtained via the on-behalf-of flow (in the case of use-based tokens) or client credentials (in the case of application-based tokens).

DAST tool (webinspect) will just decode the token and verify what claims are present in the payload/header.


0 Votes 0 ·

0 Answers