🔐 JWT Attacks Playbook

A practical guide to breaking JSON Web Token authentication

This repository documents real-world JWT authentication bypass techniques caused by insecure implementation choices.

Each attack is explained with root cause, exploitation logic, impact, and mitigation.

JWTs are not insecure by design misuse makes them vulnerable.

---

📌 Scope

This repository covers the following JWT attack classes:

• Unverified signature acceptance
• Flawed signature verification
• Weak HMAC signing keys
• JWK header injection
• JKU header injection
• kid header path traversal
• Algorithm confusion (RS256 ↔ HS256)
• Algorithm confusion with no exposed key

All techniques were validated in hands-on security labs that closely resemble real-world API misconfigurations.

---

📚 Table of Contents

• JWT Basics
• Attack Surface Overview
• JWT Authentication Bypass Techniques
  • Unverified Signature
  • Flawed Signature Verification
  • Weak Signing Key
  • JWK Header Injection
  • JKU Header Injection
  • KID Header Path Traversal
  • Algorithm Confusion
  • Algorithm Confusion (No Exposed Key)
• Common Root Causes
• Defensive Checklist

---

🔍 JWT Basics

A JSON Web Token (JWT) consists of three Base64URL-encoded components:

HEADER.PAYLOAD.SIGNATURE

JWT security does not rely on encryption, but on correct signature verification and strict validation logic.

❗ Any JWT field controlled by the client must be treated as untrusted input.

---

🎯 Attack Surface Overview

JWT vulnerabilities typically target:

• Signature verification logic
• Algorithm handling (alg)
• Key management (kid, secrets, public keys)
• Header trust (jwk, jku)
• Claim validation (exp, aud, iss)

Most JWT vulnerabilities arise from developer convenience shortcuts, not cryptographic failures.

---

🧨 JWT Authentication Bypass Techniques

---

1️⃣ Unverified Signature

What breaks
The server decodes JWTs but never verifies the signature.

Why it happens

• decode() used instead of verify()
• Misconfigured authentication middleware

Exploitation logic

• Modify payload claims (e.g., "role": "admin")
• Keep signature invalid or empty
• Server still accepts the token

Impact

• Privilege escalation
• Account takeover

Mitigation

• Always enforce signature verification
• Explicitly reject unsigned tokens

---

1️⃣ Unverified Signature Attack Example

• Modify the JWT token signature's last bits and resend the request if it returns 200 OK it's Vulnerable
• For example change pg to xx or ab in serialized jwt section

• Decoding is not Verification
• Here Kid param is the key needs to be used
• Here iss is issuer of jwt token
• Here exp is expiry in epoch time
• Here sub is account user we are logged with

---

2️⃣ Flawed Signature Verification

What breaks
Signature verification exists but fails open due to improper error handling.

Common mistakes

• Verification exceptions ignored
• Failure defaults to authenticated state

Impact

• Authentication bypass

Mitigation

• Fail closed on all verification errors
• Log and monitor verification failures

---

2️⃣ Flawed Signature Verification Attack Example

• Modify and check if the application accepts an unsigned jwt / none algorithm

• Change the algorithm param to none and remove the signature from the serialized jwt section and resend the request if it returns 200 OK it's Vulnerable

  

---

3️⃣ Weak Signing Key

What breaks
JWTs are signed using weak or predictable HMAC secrets.

Attack flow

1. Capture a valid JWT
2. Brute-force the signing key
3. Re-sign token with elevated privileges

Impact

• Token forgery
• Full account compromise

Mitigation

• Use high-entropy secrets
• Rotate keys periodically

---

3️⃣ Weak Signing Key Attack Example

• Here we check for weak sining key that we can brute force

• Only suitable for symmetric key's like HS256

• We will copy jwt token and perfom offline attack to crack the key using hashcat [GPU-based] / use John the Ripper for [CPU-based]

  

• We will convert it using Burp decoder to base64

• We will create a new Symmetric Key using JWT Editor
• JWT Editor > New Symmetric Key > Generate > Replace k param with our cracked key

• We will modify our req here we have changed the user to admin and we will sign it with our genrated key and send the request

---

4️⃣ JWK Header Injection

What breaks
The server trusts the jwk header supplied by the client.

Exploitation logic

• Embed attacker-controlled public key
• Sign token with matching private key
• Server verifies token using attacker-supplied key

Impact

• Complete authentication bypass

Mitigation

• Never accept keys from JWT headers
• Store verification keys server-side only
• Let's Genrate our Public key

---

4️⃣ JWK Header Injection Attack Example

• Here we will try to inject our own public key

• If the application is misconfigured it will just accept any key and will not verify the key

• JWT Editor > New RSA Key > Genrate

• Let's Embedded JwK we will change the sub to admin sign it with our key and send the request

---

5️⃣ JKU Header Injection

What breaks
The server fetches signing keys from a URL specified in the JWT.

Exploitation logic

• Host a malicious JWKS
• Set jku to attacker-controlled URL
• Server fetches and trusts the key

Impact

• Authentication bypass
• Potential SSRF

Mitigation

• Use static, allow-listed key URLs
• Disable dynamic key fetching

---

5️⃣ JKU Header Injection Attack Example

• Here we will check if the applciation accepts arbitrary jiu parameter
• First we will genrate a RSA key

• We will genrate our paylod body in exploit server

• We will copy our Public key as JWK

  

• Paste the key in exploit server and also replace the kid param with our genrated key

• Copy and Paste our Exploit server url to jku param

• Lastly we change sub to admin will sign it with our genrated pub key and send the request

---

6️⃣ KID Header Path Traversal

What breaks
The kid header value is mapped directly to filesystem paths.

Exploitation logic

• Inject path traversal payloads
• Force server to load unintended files as keys

Impact

• Authentication bypass
• Sensitive file access

Mitigation

• Treat kid as a logical identifier
• Use key-to-ID mapping, not filesystem paths

---

6️⃣ KID Header Path Traversal Attack Example

• Here we will check if the kid paramener is vulnerable to path traverlsal or directly traversal

• We will also confirm if admin pannel exist

  

• We can try to change the sub to administrator but it won’t work because the signature will not match signature generated in backend

  

• Here we will sign it will dev/null file its a empty file that return empty string

• So we will move up some files and use dev null key to sign it

• We will use "../../../../../../../../dev/null" payload for this

  

• We will use this null signature to verify that it matches our null signed byte

  

• Jwt Editor > New Symmetric key > Genrate> Edit the k param with our null signed byte

  

• Key generated

  

• Use this key to sign > select our key > click ok

  

• So basically, if it was vulnerable, it would cross-check /dev null we placed to AA== we placed, which would be the same as null and we will be able to exploit it

---

7️⃣ Algorithm Confusion (RS256 ↔ HS256)

What breaks
The server supports both symmetric and asymmetric algorithms.

Exploitation logic

• Change alg from RS256 to HS256
• Use public key as HMAC secret
• Server validates token successfully

Impact

• Token forgery
• Administrative access

Mitigation

• Enforce strict algorithm allowlists
• Separate key usage by algorithm type

---

7️⃣ Algorithm Confusion (RS256 ↔ HS256) Attack Example

• We will check if the application is vulnerable to algorithm confusion attack also called as key confusion attack

• Before We perfom attack

• There are two types of keys sym (one key) and asym (two keys | public & private)

• Private key is used to sign the tokens

• Our goal here is to confuse the server we will use same algo to sign the token and verify the keys (Public Key)

• Here RS256 algo is used

• Websites generally store public keys at [domain]/jwks.json endpoint

  

• Browser View

  

• We will carefully copy selected section of key

  

• Jwt Editor > New RSA key > We will paste the content here

  

• Copy the content as Copy Public key as PEM

• Paste it in decoder and encode them as base64

  

• Copy the base64 genrated key we will use it as our new symmetric key

• JWT Editor > New Symmetric key > Genrate > Paste the base64 content in k param

• Modify the content with our intend here we will change alg and sub param with HS256 and admin

  

• Sign the payload with our genrated key

  

---

8️⃣ Algorithm Confusion with No Exposed Key

What breaks
Key discovery through:

• Public JWKS endpoints
• Predictable configuration paths

Impact

• Same as classic algorithm confusion
• Full authentication bypass

Mitigation

• Restrict key exposure
• Secure key distribution mechanisms

---

Common Root Causes

• Trusting client-controlled JWT headers
• Supporting multiple algorithms unnecessarily
• Weak or reused signing keys
• Improper error handling
• Missing claim validation

---

🛡️ Defensive Checklist

• ✔ Always verify JWT signatures
• ✔ Enforce strict algorithm allowlists
• ✔ Never trust jwk or jku headers
• ✔ Sanitize and validate kid
• ✔ Use strong, rotated signing keys
• ✔ Validate exp, aud, and iss
• Never decode tokens without verification

---

✍️ Author

Karan Kurani
Cybersecurity | Web Security | Pentesting

GitHub: https://github.com/karankurani Linkedin: https://www.linkedin.com/in/karan-kurani/