Our DAST tool flags the JWT token as vulnerable because of Missing protection claims: jti or nonce. What is the remediation for this. How to add jti or nonce in JWT token.
Our DAST tool flags the JWT token as vulnerable because of Missing protection claims: jti or nonce. What is the remediation for this. How to add jti or nonce in JWT token.
@Siva-9848 , In the ID token provided by Azure AD which uses JWT formatting, nonce is always there and jti is optional . However , it would be great if you could provide the details as to how the DAST application checks the same and what oAuth flow was used to obtain the token ?
Hi Shashi,
These are API Access Tokens either obtained via the on-behalf-of flow (in the case of use-based tokens) or client credentials (in the case of application-based tokens).
DAST tool (webinspect) will just decode the token and verify what claims are present in the payload/header.
4 people are following this question.