JWT Attacks: A Pentester's Guide to Algorithm Confusion and Token Manipulation

JSON Web Tokens (JWTs) are everywhere — API authentication, SSO, session management. But they're frequently misconfigured, leading to authentication bypass and privilege escalation.

JWT Structure

A JWT has three parts: header.payload.signature, each base64url-encoded.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.  (header)
eyJzdWIiOiIxIiwiYWRtaW4iOnRydWV9.       (payload)
signature                                  (signature)

Attack #1: None Algorithm

The simplest attack — set the algorithm to "none" and remove the signature:

{"alg": "none", "typ": "JWT"}

Many libraries accept unsigned tokens if the algorithm is set to "none". Try variations: None, NONE, nOnE.

Attack #2: Algorithm Confusion (RS256 → HS256)

If the server uses RS256 (asymmetric), you can try switching to HS256 (symmetric) and sign with the public key. Since the server uses the same key for verification, your signature will be valid.

Attack #3: JWK/JKU Injection

Inject your own key into the JWT header:

{"alg": "RS256", "jku": "https://attacker.com/.well-known/jwks.json"}

If the server fetches keys from the JKU URL without validation, it will use your attacker-controlled key.

Attack #4: KID Parameter Injection

The kid (Key ID) parameter can be vulnerable to:

• Path traversal: "kid": "../../dev/null" (sign with empty key)
• SQL injection: "kid": "key' UNION SELECT 'secret'--"

Attack #5: Weak Secrets

For HMAC-signed tokens, brute-force the secret:

hashcat -a 0 -m 16500 jwt.txt wordlist.txt

Common weak secrets: secret, password, 123456, changeme

Tools

Use our JWT Generator to create attack tokens with none algorithm and custom claims. Decode any JWT instantly with our JWT Decoder. Use the Hash Generator to verify HMAC signatures, and the Encoder/Decoder to manually inspect Base64url-encoded JWT segments. See the JWT Attacks Cheat Sheet for all techniques.

Related Reading

JWT vulnerabilities are closely tied to other auth and web attacks. Steal tokens via XSS to hijack sessions, or combine JWT manipulation with CSRF payloads when token validation is missing on state-changing endpoints. If JWT tokens are stored in cookies, SSRF can sometimes leak them from internal services. For testing authorization logic beyond JWT forgery, try our IDOR Generator to enumerate and tamper with object references.