Why This Issue Is Important
If a JWT/JWS is decoded without being verified, it could lead to processing of untrusted data in the proxy flow. An attacker could craft a JWT/JWS with malicious claims, which would then be used in the flow without validation. This can compromise the security of the API and lead to unauthorized access or manipulation of sensitive data.
How This Issue Is Detected
The detection logic identifies when a JWT/JWS is decoded in one step but there is no verification step (e.g., VerifyJWT/VerifyJWS policy) in the same flow phase. This is done by checking the policy type and verifying the presence of a JWT verification step following the decoding step.
How to Fix the Issue
Ensure that the JWT/JWS is verified immediately after it is decoded in the same flow phase. Use the VerifyJWT/VerifyJWS policy to validate the token's signature and claims before using the decoded data in the proxy flow.
<Step>
<Name>DecodeJWT</Name>
</Step>
<Step>
<Name>VerifyJWT</Name>
</Step><Step>
<Name>DecodeJWS</Name>
</Step>
<Step>
<Name>VerifyJWS</Name>
</Step>