JWT Attacks

JSON Web Tokens carry authentication state to the client, so flaws in how they're verified can let an attacker forge identities and escalate privileges.

JWT PayloadsGenerate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

JWT vulnerabilities stem from weak verification: accepting the 'none' algorithm, confusing RS256 and HS256 so the public key is used as an HMAC secret, brute-forcing weak signing secrets, or trusting unvalidated claims like role and expiry.

How to test for it

Decode the token and inspect the header and claims, then try algorithm downgrade and key-confusion attacks, attempt to crack short HMAC secrets offline, and tamper with claims to probe whether the signature is actually verified server-side.

How to prevent it

Pin the expected algorithm during verification, never accept 'none', use strong random secrets or proper asymmetric keys, validate every security-relevant claim (iss, aud, exp), and keep token lifetimes short with revocation where needed.

In-depth articles

JSON Web Token Defense: Algorithm Pinning, Key Management, Expiry, and Revocation10 min read JWT Attacks: A Pentester's Guide to Algorithm Confusion and Token Manipulation9 min read Solving a Multi-Stage CTF Challenge Using Only Payload Playground18 min read CTF Web Challenge Methodology: Recon, Source Review, and Exploitation Chains14 min read JWT Algorithm Confusion Attacks: RS256 to HS256, none, and JWK Injection10 min read

Frequently asked questions

What is the JWT 'alg: none' attack?+

If a library accepts the 'none' algorithm, an attacker can strip the signature and submit an unsigned token with arbitrary claims, which a misconfigured verifier accepts as valid.

What is JWT key confusion?+

When a server expects RS256 but also accepts HS256, an attacker can sign a token with the public RSA key used as an HMAC secret, forging a token the server trusts.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...