JWT Vulnerabilities

What is JWT?

JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts:

  • Header – Specifies the token type and signing algorithm (e.g., HS256, RS256).

  • Payload – Contains the claims, such as user ID, roles, and expiration time.

  • Signature – Used to verify the authenticity of the token.

A typical JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpv
biBEb2UiLCJhZG1pbiI6dHJ1ZX0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWTs are widely used in APIs, Single Sign-On (SSO), and authentication mechanisms, but their security largely depends on correct implementation.


Find JWT tokens

1. Inspect HTTP Headers

JWTs are often passed in HTTP headers, particularly in the Authorization header:

Authorization: Bearer <your_jwt_token>

Use tools like Burp Suite, Postman, or your browser’s Developer Tools to inspect network requests and locate JWTs.

2. Check Local Storage, Session Storage, and Cookies

JWTs may be stored in:

console.log(localStorage.getItem('token'));
console.log(sessionStorage.getItem('token'));
console.log(document.cookie);

Use browser Developer Tools (F12 -> Application -> Storage) to find them.

3. Search in JavaScript Files

Developers sometimes hardcode JWTs in JavaScript files. Use tools like grep:

grep -r 'eyJ' /var/www/html/

Or use Burp Suite’s passive scanner to detect tokens.

4. Analyze API Responses

JWTs are often returned in API responses. Use tools like curl:

curl -X GET https://example.com/api -H "Authorization: Bearer <token>"

Intercept API responses with Burp Suite or OWASP ZAP to extract JWTs.

5. Check Logs and Error Messages

JWTs may be leaked in logs or error messages. Run:

grep -r 'Authorization: Bearer' /var/log/

Review logs, especially if debugging mode is enabled.

6. Use Search Engines (Google Dorking)

Sometimes JWTs are exposed online. Try:

site:example.com inurl:token

Quick win

Run jwt_tool with mode All Tests! and wait for green lines

python3 jwt_tool.py -M at \
    -t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" \
    -rh "Authorization: Bearer eyJhbG...<JWT Token>"

If you are lucky the tool will find some case where the web application is incorrectly checking the JWT:

Then, you can search the request in your proxy or dump the used JWT for that request using jwt_ tool:

python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291"

You can also use the Burp Extension SignSaboteur to launch JWT attacks from Burp.


Common JWT Vulnerabilities and Exploitation Techniques

1. Algorithm Confusion Attack (None Algorithm Bypass)

If a server improperly verifies the signing algorithm, an attacker can modify the header to use "alg": "none", bypassing signature verification.

Exploitation:

  1. Capture a valid JWT token.

  2. Modify the header to:

    { "alg": "none", "typ": "JWT" }
  3. Remove the signature part and send the modified token to the server.

  4. If the server accepts the unsigned token, authentication is bypassed.


2. Weak Secret Key (Brute-Force HS256 Secret Key)

HS256 requires a secret key for signing, but weak secrets can be brute-forced using tools like jwt-cracker or John the Ripper.

Exploitation:

  1. Extract the JWT token.

  2. Use jwt-tool or hashcat to brute-force the key:

    hashcat -m 16500 -a 3 token.jwt rockyou.txt
  3. If cracked, forge valid JWT tokens with arbitrary claims.


3. Key Confusion in RS256 to HS256 Downgrade Attack

If a server allows switching between RS256 and HS256, an attacker can trick it into using a public key as an HMAC secret key.

Exploitation:

  1. Extract the public key of the application.

  2. Change the algorithm in the JWT header from RS256 to HS256.

  3. Sign the token using the extracted public key.

  4. If accepted, the attacker can generate valid admin JWTs.


4. JWT Expiration and Replay Attacks

Expired tokens may still be accepted if expiration checks are not properly implemented.

Exploitation:

  1. Capture a valid JWT.

  2. Modify the exp field in the payload to extend its validity.

  3. Resign the token and reuse it to gain prolonged access.


5. Sensitive Data Exposure in JWT Payloads

JWT payloads are base64-encoded, not encrypted. Storing sensitive data in them can lead to information leaks.

Exploitation:

  1. Decode the JWT payload:

    echo '<JWT_PAYLOAD>' | base64 -d
  2. If sensitive information (passwords, API keys) is exposed, attackers can use it for further attacks.


Tools for Penetration Testing JWTs

1. jwt_tool

  • A powerful Python tool for testing JWT security.

  • Install it using:

    pip install jwt_tool
  • Example usage:

    jwt_tool <token> -C -d wordlist.txt

2. jwt-cracker

  • Used for brute-forcing weak JWT secrets.

  • Command:

    jwt-cracker -t <token>

3. Burp Suite with JWT Editor

  • Intercept and modify JWTs in real time.

  • Add JWT Editor extension from Burp’s BApp Store.

4. John the Ripper & Hashcat

  • Used for cracking JWT HMAC secrets.

  • Hashcat example:

    hashcat -m 16500 -a 3 <token> rockyou.txt

Last updated

Was this helpful?