Documentation & Learning Resources
Back to Tool

JWT Security Checklist

Security Audit Updated: December 2024 All Levels

Complete JWT security audit checklist with 50+ verification points. Use this guide for security reviews, penetration testing, and implementation audits. Each item includes risk assessment and remediation guidance.

Downloadable Version: Get this checklist as a printable PDF or interactive spreadsheet for your security audits.

🔴 Critical Security Checks

Priority 1: These vulnerabilities can lead to complete authentication bypass

CRITICAL

What to Check: Verify application rejects tokens with "alg": "none"

Test Method:

  1. Modify JWT header: {"alg": "none", "typ": "JWT"}
  2. Remove signature portion entirely
  3. Submit token without trailing dots
  4. Test with empty signature: jwt.header.payload.

Remediation:

  • Implement algorithm whitelist (never include "none")
  • Always verify signatures exist and are valid
  • Use library security modes that reject unsigned tokens
Impact: Complete authentication bypass, privilege escalation to any user/role
CRITICAL

What to Check: Ensure asymmetric tokens can't be verified as symmetric

Test Method:

  1. Obtain public key from JWKS endpoint or certificate
  2. Change algorithm from RS256 to HS256
  3. Sign token using public key as HMAC secret
  4. Test if application accepts the forged token

Attack Payload:

// Original RS256 header
{"alg": "RS256", "typ": "JWT"}

// Modified to HS256
{"alg": "HS256", "typ": "JWT"}

// Sign with public key as secret
hmac_sha256(public_key, header.payload)

Remediation:

  • Verify algorithm matches expected key type
  • Use separate validation logic for symmetric vs asymmetric
  • Implement strict algorithm checking
CRITICAL

What to Check: HMAC secrets should resist brute force attacks

Test Method:

  1. Run dictionary attack against HMAC signatures
  2. Test common passwords: secret, password, 123456, etc.
  3. Try company name + year combinations
  4. Test Base64/hex encoded common words

Common Weak Secrets to Test:

secret
password
123456
your-256-bit-secret
jwt_secret
SECRET_KEY
default
admin
test
company_name_2024

Remediation:

  • Use minimum 256-bit cryptographically secure random secrets
  • Implement secret rotation policies
  • Use environment variables or key management systems
  • Regular secret strength auditing

🟠 High Priority Security Checks

Priority 2: Significant security risks requiring immediate attention

HIGH

What to Check: Verify external key URLs are properly validated

Attack Vectors to Test:

  • External URLs: https://attacker.com/malicious.jwks
  • Path Traversal: ../../../etc/passwd
  • Protocol Smuggling: file:///etc/hosts
  • Internal Networks: http://localhost:8080/admin/keys
  • DNS Rebinding: subdomain.attacker.com → 127.0.0.1
HIGH

What to Check: Key ID parameter should be sanitized and validated

Injection Tests:

  • Path Traversal: "../../../dev/null"
  • Command Injection: "key.pem; cat /etc/passwd"
  • SQL Injection: "' UNION SELECT 'secret'--"
  • NoSQL Injection: {"$ne": null}
HIGH

What to Check: User claims should be immutable and validated

Escalation Tests:

  • Modify role from "user" to "admin"
  • Change user ID to access other accounts
  • Add administrative permissions to scope
  • Inject additional roles or groups
  • Modify tenant/organization IDs

🟡 Medium Priority Security Checks

Priority 3: Important security considerations for robust implementation

MEDIUM

What to Check: Time-based claims are properly validated

Tests to Perform:

  • Expired tokens (past exp claim)
  • Future-dated tokens (exp in year 2100)
  • Missing iat (issued at) claims
  • nbf (not before) in the past
  • Clock skew tolerance testing
  • Negative timestamp values
MEDIUM

What to Check: Malformed JSON should be rejected

Malformation Tests:

  • Invalid JSON syntax
  • Nested object injection
  • Array vs object confusion
  • Unicode character exploits
  • Extremely large payloads (DoS)
  • Duplicate key handling
MEDIUM

What to Check: Weak algorithms should be rejected

Weak Algorithms to Test:

  • HS1 (HMAC-SHA1) - deprecated
  • RS1 (RSA-SHA1) - collision vulnerable
  • Custom algorithms - non-standard
  • ES256K - Bitcoin curve issues

🟢 Best Practice Checks

Priority 4: Additional hardening and monitoring capabilities

BEST PRACTICE

What to Check: Implement comprehensive monitoring

Monitoring Capabilities:

  • Failed verification attempt logging
  • Brute force attack detection
  • Suspicious algorithm usage alerts
  • Rate limiting on token validation
  • Audit trails for key operations
BEST PRACTICE

What to Check: Proper key lifecycle management

Key Management Practices:

  • Regular key rotation schedule
  • Secure key storage (HSM/KMS)
  • Key versioning support
  • Emergency key revocation
  • Key backup and recovery
BEST PRACTICE

What to Check: Secure token handling on client

Client Security Measures:

  • HttpOnly cookie storage (vs localStorage)
  • Secure flag for HTTPS-only cookies
  • SameSite attribute configuration
  • CSRF protection mechanisms
  • Token automatic refresh handling

🛠️ Testing Tools and Resources

JWTAuditor

Automated scanning for all checklist items with detailed reporting and remediation guidance.

Start Audit

Manual Testing

Command-line tools for detailed analysis: jwt_tool, PyJWT, and custom scripts.

Learn Tools

Checklist Downloads

Get printable PDF, Excel spreadsheet, or JSON format for your security audits.

Download

Training Materials

Video tutorials, example vulnerabilities, and hands-on labs for security teams.

Learn More

📋 Quick Reference Summary

3
Critical Checks
15
High Priority
25
Medium Priority
12
Best Practices

🚨 Must-Fix Vulnerabilities

  • Algorithm "none" acceptance
  • Key confusion (RS256→HS256)
  • Weak HMAC secrets

Continue Your Security Journey

Attack Vectors Guide Secure Implementation Test Your JWTs