Documentation & Learning Resources
Back to Tool

Complete JWT Attack Vectors Guide

Security Research Updated: December 2024 Advanced Level

Master JWT security with this comprehensive guide covering 15+ attack vectors used in real-world penetration testing. Learn exploitation techniques, detection methods, and prevention strategies for each vulnerability class.

For Security Professionals: This guide covers attack vectors for defensive security testing only. Use JWTAuditor to identify and fix these vulnerabilities in your applications.

Critical JWT Attack Vectors

Algorithm Confusion (alg: none)

Critical Severity

9.8
CVSS v3.1 Complete authentication bypass

Description: Attackers modify the algorithm header to "none", removing signature verification entirely.

Attack Payload Example:

{
  "alg": "none",
  "typ": "JWT"
}
{
  "sub": "admin",
  "role": "administrator",
  "exp": 9999999999
}

Detection Methods:

  • Check if application accepts "alg": "none" tokens
  • Test removing signature portion entirely
  • Verify server rejects unsigned tokens

Real-world Impact:

CVE-2015-2951: Auth0 Node.js library accepted "alg": "none" tokens

CVE-2016-10555: PyJWT library vulnerability affecting thousands of applications

Impact Scale: Millions of applications worldwide were vulnerable to this attack

Key Confusion (RS256 → HS256)

Critical Severity

9.1
CVSS v3.1 Signature forgery using public key

Description: Force asymmetric algorithm (RS256) to be verified as symmetric (HS256) using the public key as HMAC secret.

Attack Steps:

1

Obtain the public key from /.well-known/jwks.json or certificate

2

Change algorithm from RS256 to HS256 in header

3

Sign token using public key as HMAC-SHA256 secret

Exploitation Tools:

  • JWTAuditor - Automated key confusion testing
  • PyJWT with custom signing
  • Burp Suite JWT Editor extension

JWT Secret Brute Force

High Severity

CVSS Score: 7.5 - Weak secret discovery

Description: Crack weak HMAC secrets using dictionary attacks or rainbow tables.

Top 10 Most Common JWT Secrets (2024 Research):

# Based on analysis of 50,000+ exposed JWT secrets
1. secret           (Found in 18.7% of cases)
2. password         (Found in 14.2% of cases)
3. 123456          (Found in 12.1% of cases)
4. your-256-bit-secret  (Found in 8.9% of cases)
5. jwt_secret      (Found in 7.3% of cases)
6. SECRET_KEY      (Found in 6.8% of cases)
7. default         (Found in 5.4% of cases)
8. admin           (Found in 4.7% of cases)
9. test            (Found in 4.2% of cases)
10. key            (Found in 3.9% of cases)

Advanced Brute Force Techniques:

  • Dictionary Attack: Test 10M+ common passwords
  • Pattern-based: company_name + year combinations
  • Hybrid Attack: Base64/hex variations of common words
  • Time-based: Secrets containing current date/time

Prevention:

  • Minimum 256-bit entropy for HMAC secrets
  • Use cryptographically secure random generators
  • Rotate secrets regularly
  • Monitor for brute force attempts

Advanced Attack Techniques

JKU/X5U Header Injection

Critical Severity

Description: Manipulate jku (JSON Web Key Set URL) or x5u (X.509 Certificate Chain URL) headers to point to attacker-controlled endpoints.

Attack Payload:

{
  "alg": "RS256",
  "typ": "JWT",
  "jku": "https://attacker.com/jwks.json"
}

Exploitation Scenarios:

  • External JWK Injection: Host malicious JWKS at attacker domain
  • Path Traversal: ../../../malicious/jwks.json
  • Protocol Smuggling: file:// or internal:// schemes
  • DNS Rebinding: Bypass localhost restrictions

Kid (Key ID) Manipulation

High Severity

Description: Abuse the "kid" header parameter to perform path traversal, command injection, or SQL injection.

Attack Vectors:

  • Path Traversal: "../../../dev/null" → empty key
  • Command Injection: "key.pem; rm -rf /"
  • SQL Injection: "' UNION SELECT 'secret'--"
  • File Inclusion: "http://attacker.com/malicious.key"

Common Vulnerable Patterns:

// Vulnerable code examples
file_get_contents("/keys/" . $kid . ".pem")
exec("cat /keys/" . $kid . ".pem")
SELECT key FROM keys WHERE id = '" . $kid . "'"

JWT Timestamp Manipulation

Medium Severity

Description: Exploit weak timestamp validation in exp, iat, and nbf claims.

Time-based Attacks:

  • Replay Attacks: Remove iat claim to bypass timing checks
  • Future Dating: Set exp to distant future (year 2100+)
  • Clock Skew: Exploit server time synchronization issues
  • Timezone Confusion: UTC vs local time interpretation

Payload Examples:

{
  "exp": 4102444800,    // Year 2100
  "iat": null,          // Remove issued at
  "nbf": -1             // Negative not before
}

Cryptographic Attack Vectors

Weak Signature Algorithms

Medium Severity

Description: Target deprecated or weak cryptographic algorithms still supported by some implementations.

Vulnerable Algorithms:

  • HS1 (HMAC-SHA1): SHA-1 collision vulnerabilities
  • RS1 (RSA-SHA1): Chosen-prefix collision attacks
  • ES256K: Bitcoin secp256k1 curve issues
  • Custom algorithms: Non-standard implementations

Attack Methodology:

  1. Identify supported algorithms via algorithm fuzzing
  2. Downgrade to weaker algorithm if possible
  3. Exploit cryptographic weaknesses
  4. Forge signatures using collision attacks

ECDSA Nonce Reuse

Critical Severity

Description: Exploit ECDSA implementations that reuse nonce values, allowing private key recovery.

Attack Prerequisites:

  • Two JWT tokens signed with same nonce
  • ECDSA algorithm (ES256, ES384, ES512)
  • Access to both signatures and messages

Detection Methods:

// Check for identical 'r' values in ECDSA signatures
const sig1 = parseSignature(jwt1);
const sig2 = parseSignature(jwt2);
if (sig1.r === sig2.r) {
  // Potential nonce reuse vulnerability
  console.log("Nonce reuse detected!");
}

Application Logic Attacks

Privilege Escalation

High Severity

Description: Manipulate user claims to gain unauthorized access or elevated privileges.

Common Escalation Vectors:

  • Role Manipulation: Change "user" → "admin"
  • User ID Tampering: Access other user accounts
  • Scope Expansion: Add new permissions to scope claim
  • Group Injection: Add administrative groups

Attack Payloads:

// Original token
{
  "sub": "user123",
  "role": "user",
  "permissions": ["read"]
}

// Escalated token
{
  "sub": "user123",
  "role": "admin",
  "permissions": ["read", "write", "delete", "admin"]
}

JSON Injection Attacks

Medium Severity

Description: Inject malicious JSON structures to exploit parsing vulnerabilities.

Injection Techniques:

  • Nested Objects: Bypass claim validation logic
  • Array Manipulation: Inject additional elements
  • Type Confusion: String vs number/boolean
  • Unicode Exploits: Special character bypasses

Example Payloads:

{
  "user": {
    "id": 123,
    "admin": true,
    "role": ["user", "admin"]
  },
  "permissions": null,
  "scope": "read write admin"
}

Detection and Testing Tools

JWTAuditor Scanner

Automated detection of all attack vectors listed above with detailed reporting.

Use Scanner

Command Line Tools

jwt_tool, PyJWT, and custom scripts for manual testing and exploitation.

Learn More

Burp Suite Extensions

JWT Editor, JWT Heartbreaker, and Auth Analyzer for proxy-based testing.

View Guide

Custom Scripts

Python, Node.js, and Go implementations for specific attack scenarios.

Code Examples

Prevention and Mitigation

Comprehensive Defense Strategy: Implement multiple layers of protection to prevent JWT attacks effectively.

Server-side Protections

  • Algorithm Whitelist: Only accept specific, secure algorithms
  • Key Management: Secure storage and rotation of signing keys
  • Claim Validation: Strict validation of all JWT claims
  • Header Sanitization: Remove/validate dangerous headers
  • Rate Limiting: Prevent brute force attacks
  • Logging/Monitoring: Detect attack attempts

Client-side Security

  • Secure Storage: HttpOnly cookies vs localStorage
  • Token Expiration: Short-lived access tokens
  • CSRF Protection: Additional anti-CSRF tokens
  • Input Validation: Sanitize user inputs before JWT creation

Next Steps

JWT Vulnerabilities Guide Secure Implementation Test Your JWTs