JWT Vulnerabilities
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
What is JWT?
JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts:
Header β Specifies the token type and signing algorithm (e.g., HS256, RS256).
Payload β Contains the claims, such as user ID, roles, and expiration time.
Signature β Used to verify the authenticity of the token.
A typical JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpv
biBEb2UiLCJhZG1pbiI6dHJ1ZX0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
JWTs are widely used in APIs, Single Sign-On (SSO), and authentication mechanisms, but their security largely depends on correct implementation.
Find JWT tokens
1. Inspect HTTP Headers
JWTs are often passed in HTTP headers, particularly in the Authorization
header:
Authorization: Bearer <your_jwt_token>
Use tools like Burp Suite, Postman, or your browserβs Developer Tools to inspect network requests and locate JWTs.
2. Check Local Storage, Session Storage, and Cookies
JWTs may be stored in:
console.log(localStorage.getItem('token'));
console.log(sessionStorage.getItem('token'));
console.log(document.cookie);
Use browser Developer Tools (F12
-> Application
-> Storage
) to find them.
3. Search in JavaScript Files
Developers sometimes hardcode JWTs in JavaScript files. Use tools like grep
:
grep -r 'eyJ' /var/www/html/
Or use Burp Suiteβs passive scanner to detect tokens.
4. Analyze API Responses
JWTs are often returned in API responses. Use tools like curl
:
curl -X GET https://example.com/api -H "Authorization: Bearer <token>"
Intercept API responses with Burp Suite or OWASP ZAP to extract JWTs.
5. Check Logs and Error Messages
JWTs may be leaked in logs or error messages. Run:
grep -r 'Authorization: Bearer' /var/log/
Review logs, especially if debugging mode is enabled.
6. Use Search Engines (Google Dorking)
Sometimes JWTs are exposed online. Try:
site:example.com inurl:token
Quick win
Run jwt_tool with mode All Tests!
and wait for green lines
python3 jwt_tool.py -M at \
-t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" \
-rh "Authorization: Bearer eyJhbG...<JWT Token>"
If you are lucky the tool will find some case where the web application is incorrectly checking the JWT:
Then, you can search the request in your proxy or dump the used JWT for that request using jwt_ tool:
python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291"
You can also use the Burp Extension SignSaboteur to launch JWT attacks from Burp.
Common JWT Vulnerabilities and Exploitation Techniques
1. Algorithm Confusion Attack (None Algorithm Bypass)
If a server improperly verifies the signing algorithm, an attacker can modify the header to use "alg": "none"
, bypassing signature verification.
Exploitation:
Capture a valid JWT token.
Modify the header to:
{ "alg": "none", "typ": "JWT" }
Remove the signature part and send the modified token to the server.
If the server accepts the unsigned token, authentication is bypassed.
2. Weak Secret Key (Brute-Force HS256 Secret Key)
HS256 requires a secret key for signing, but weak secrets can be brute-forced using tools like jwt-cracker
or John the Ripper
.
Exploitation:
Extract the JWT token.
Use
jwt-tool
orhashcat
to brute-force the key:hashcat -m 16500 -a 3 token.jwt rockyou.txt
If cracked, forge valid JWT tokens with arbitrary claims.
3. Key Confusion in RS256 to HS256 Downgrade Attack
If a server allows switching between RS256
and HS256
, an attacker can trick it into using a public key as an HMAC secret key.
Exploitation:
Extract the public key of the application.
Change the algorithm in the JWT header from
RS256
toHS256
.Sign the token using the extracted public key.
If accepted, the attacker can generate valid admin JWTs.
4. JWT Expiration and Replay Attacks
Expired tokens may still be accepted if expiration checks are not properly implemented.
Exploitation:
Capture a valid JWT.
Modify the
exp
field in the payload to extend its validity.Resign the token and reuse it to gain prolonged access.
5. Sensitive Data Exposure in JWT Payloads
JWT payloads are base64-encoded, not encrypted. Storing sensitive data in them can lead to information leaks.
Exploitation:
Decode the JWT payload:
echo '<JWT_PAYLOAD>' | base64 -d
If sensitive information (passwords, API keys) is exposed, attackers can use it for further attacks.
Tools for Penetration Testing JWTs
1. jwt_tool
A powerful Python tool for testing JWT security.
Install it using:
pip install jwt_tool
Example usage:
jwt_tool <token> -C -d wordlist.txt
2. jwt-cracker
Used for brute-forcing weak JWT secrets.
Command:
jwt-cracker -t <token>
3. Burp Suite with JWT Editor
Intercept and modify JWTs in real time.
Add
JWT Editor
extension from Burpβs BApp Store.
4. John the Ripper & Hashcat
Used for cracking JWT HMAC secrets.
Hashcat example:
hashcat -m 16500 -a 3 <token> rockyou.txt
Learn & practice For the OSCP.
Last updated
Was this helpful?