JWT Vulnerabilities
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts:
Header β Specifies the token type and signing algorithm (e.g., HS256, RS256).
Payload β Contains the claims, such as user ID, roles, and expiration time.
Signature β Used to verify the authenticity of the token.
A typical JWT looks like this:
JWTs are widely used in APIs, Single Sign-On (SSO), and authentication mechanisms, but their security largely depends on correct implementation.
JWTs are often passed in HTTP headers, particularly in the Authorization header:
Use tools like Burp Suite, Postman, or your browserβs Developer Tools to inspect network requests and locate JWTs.
JWTs may be stored in:
Use browser Developer Tools (F12 -> Application -> Storage) to find them.
Developers sometimes hardcode JWTs in JavaScript files. Use tools like grep:
Or use Burp Suiteβs passive scanner to detect tokens.
JWTs are often returned in API responses. Use tools like curl:
Intercept API responses with Burp Suite or OWASP ZAP to extract JWTs.
JWTs may be leaked in logs or error messages. Run:
Review logs, especially if debugging mode is enabled.
Sometimes JWTs are exposed online. Try:
If you are lucky the tool will find some case where the web application is incorrectly checking the JWT:
Then, you can search the request in your proxy or dump the used JWT for that request using jwt_ tool:
If a server improperly verifies the signing algorithm, an attacker can modify the header to use "alg": "none", bypassing signature verification.
Exploitation:
Capture a valid JWT token.
Modify the header to:
Remove the signature part and send the modified token to the server.
If the server accepts the unsigned token, authentication is bypassed.
HS256 requires a secret key for signing, but weak secrets can be brute-forced using tools like jwt-cracker or John the Ripper.
Exploitation:
Extract the JWT token.
Use jwt-tool or hashcat to brute-force the key:
If cracked, forge valid JWT tokens with arbitrary claims.
If a server allows switching between RS256 and HS256, an attacker can trick it into using a public key as an HMAC secret key.
Exploitation:
Extract the public key of the application.
Change the algorithm in the JWT header from RS256 to HS256.
Sign the token using the extracted public key.
If accepted, the attacker can generate valid admin JWTs.
Expired tokens may still be accepted if expiration checks are not properly implemented.
Exploitation:
Capture a valid JWT.
Modify the exp field in the payload to extend its validity.
Resign the token and reuse it to gain prolonged access.
JWT payloads are base64-encoded, not encrypted. Storing sensitive data in them can lead to information leaks.
Exploitation:
Decode the JWT payload:
If sensitive information (passwords, API keys) is exposed, attackers can use it for further attacks.
A powerful Python tool for testing JWT security.
Install it using:
Example usage:
Used for brute-forcing weak JWT secrets.
Command:
Intercept and modify JWTs in real time.
Add JWT Editor extension from Burpβs BApp Store.
Used for cracking JWT HMAC secrets.
Hashcat example:
Run with mode All Tests! and wait for green lines
You can also use the to launch JWT attacks from Burp.
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
