Comprehensive JWT Security Guide
Comprehensive JWT Security Guide A practitioner’s reference for JSON Web Token security — vulnerabilities, exploitation techniques, attack vectors, implementation flaws, and defense strategies. Covers algorithm confusion, signature bypass, library-specific issues, and secure implementation patterns. Compiled from 24 research sources. Table of Contents Fundamentals JWT Structure & Components Algorithm Confusion Attacks Signature Bypass Techniques Header Manipulation Payload Tampering Library-Specific Vulnerabilities Implementation Security Attack Methodology Secure Development Practices 1. Fundamentals JWT Overview Component Purpose Security Relevance Header Algorithm and token type declaration Algorithm confusion vector Payload Claims and data Authorization decisions Signature Integrity and authenticity proof Bypass target Common Use Cases Application JWT Role Attack Impact Authentication Identity assertion Account takeover Authorization Permission claims Privilege escalation Information Exchange Secure data transmission Information disclosure API Access Bearer token Unauthorized access 2. JWT Structure & Components Token Anatomy JWT STRUCTURE: Header.Payload.Signature Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Header Parameters Parameter Description Security Implications alg Signature algorithm Algorithm confusion attacks typ Token type Type confusion (rare) kid Key identifier Key injection attacks jku JWK Set URL URL manipulation x5u X.509 URL Certificate injection Standard Claims Claim Purpose Attack Vectors iss (Issuer) Token origin Issuer spoofing sub (Subject) Token subject User ID manipulation aud (Audience) Intended recipient Audience bypass exp (Expiration) Token lifetime Expiry bypass iat (Issued At) Issue timestamp Replay attacks nbf (Not Before) Activation time Timing bypass 3. Algorithm Confusion Attacks Attack Mechanism ALGORITHM CONFUSION FLOW: 1. Server expects RS256 (RSA + SHA256) 2. Attacker changes alg to HS256 (HMAC + SHA256) 3. Server's public RSA key used as HMAC secret 4. Attacker generates valid HMAC signature 5. Server verifies with same key → bypass Vulnerable Algorithm Transitions Original Algorithm Confused Algorithm Attack Method RS256/RS384/RS512 HS256/HS384/HS512 Public key as HMAC secret ES256/ES384/ES512 HS256/HS384/HS512 Public key as HMAC secret Any Algorithm none No signature verification Exploitation Techniques Attack Vector Payload Example Impact RSA→HMAC {"alg":"HS256"} + HMAC(payload, rsa_public_key) Complete authentication bypass Algorithm None {"alg":"none"} + unsigned token Total signature bypass Weak Algorithm {"alg":"HS256"} with known/weak secret Signature forgery 4. Signature Bypass Techniques Direct Signature Attacks Method Technique Requirements Empty Signature Remove signature section Vulnerable parser Signature Stripping Modify to alg: "none" Missing algorithm validation Brute Force HMAC secret guessing Weak secret key Dictionary Attack Common secret wordlists Predictable secrets Signature Validation Flaws COMMON VALIDATION ERRORS: ├── Missing Algorithm Verification │ ├── Accept any algorithm in header │ ├── No algorithm allowlist │ └── Default to insecure algorithms ├── Improper Key Handling │ ├── Same key for multiple algorithms │ ├── Public key reuse │ └── Key confusion attacks └── Logic Bypasses ├── Empty signature acceptance ├── Null signature handling └── Exception swallowing 5. Header Manipulation Key Identifier (kid) Attacks Attack Payload Effect Path Traversal "kid":"../../public.key" Arbitrary file read URL Injection "kid":"http://attacker.com/key" External key loading SQL Injection "kid":"' OR 1=1--" Database manipulation Command Injection "kid":";cat /etc/passwd" Code execution JWK Set URL (jku) Manipulation JKU ATTACK CHAIN: 1. Attacker controls jku parameter 2. Points to malicious JWK Set 3. Server fetches attacker's keys 4. Token validates with attacker's key 5. Complete authentication bypass X.509 Certificate Attacks Vector Description Mitigation Certificate Injection Supply malicious certificate via x5u Strict URL validation Self-Signed Certs Use untrusted certificates Certificate chain validation Certificate Confusion Mix certificate types Explicit algorithm binding 6. Payload Tampering Claim Manipulation Claim Attack Example Impact User ID (sub) Change to admin user Horizontal privilege escalation Role (role) Elevate to administrator Vertical privilege escalation Expiration (exp) Extend lifetime Persistent access Audience (aud) Change target application Cross-application attacks Business Logic Bypasses PAYLOAD ATTACK PATTERNS: ├── Privilege Escalation │ ├── Role claim modification │ ├── Permission array tampering │ └── Group membership changes ├── Time-Based Attacks │ ├── Expiry extension (exp) │ ├── Not-before bypass (nbf) │ └── Issued-at manipulation (iat) └── Cross-Application Attacks ├── Audience switching (aud) ├── Issuer spoofing (iss) └── Token reuse across services 7. Library-Specific Vulnerabilities Historical Vulnerabilities Library CVE Vulnerability Impact node-jsonwebtoken CVE-2015-9235 Algorithm confusion Authentication bypass pyjwt CVE-2017-11424 Key confusion Signature verification bypass php-jwt CVE-2021-46743 Algorithm substitution Authentication bypass jose4j CVE-2023-51775 Algorithm confusion Token forgery Framework Integration Issues FRAMEWORK VULNERABILITIES: ├── Express.js/Node.js │ ├── jsonwebtoken algorithm confusion │ ├── Middleware bypass techniques │ └── Error handling flaws ├── Django/Python │ ├── PyJWT verification bypasses │ ├── Algorithm None attacks │ └── Key handling issues ├── Spring Boot/Java │ ├── JJWT library flaws │ ├── Algorithm validation bypass │ └── Key injection vulnerabilities └── ASP.NET/C# ├── System.IdentityModel flaws ├── Algorithm confusion └── Certificate validation bypass 8. Implementation Security Secure JWT Verification Security Control Implementation Common Mistakes Algorithm Validation Strict allowlist Accept any algorithm Key Management Rotate regularly, separate keys Reuse across algorithms Signature Verification Mandatory verification Optional or bypassable Claim Validation Validate all critical claims Trust payload data Key Management Best Practices SECURE KEY PRACTICES: ├── Key Generation │ ├── Cryptographically random │ ├── Sufficient entropy (256+ bits) │ └── Algorithm-specific requirements ├── Key Storage │ ├── Hardware security modules │ ├── Environment variables (dev) │ └── Key management services ├── Key Rotation │ ├── Regular rotation schedule │ ├── Grace periods for old keys │ └── Emergency rotation procedures └── Key Distribution ├── Secure channels only ├── JWK Set endpoints └── Certificate-based PKI 9. Attack Methodology Reconnaissance Phase Target Information Gathering Tools JWT Structure Token analysis JWT.io, jwt_tool Algorithm Detection Header inspection Burp Suite, manual analysis Key Discovery Public key extraction Certificate analysis Implementation Details Error message analysis Fuzzing, invalid tokens Exploitation Workflow ATTACK SEQUENCE: ├── Token Acquisition │ ├── Login with valid credentials │ ├── Social engineering │ └── Token leakage (logs, URLs) ├── Token Analysis │ ├── Decode header and payload │ ├── Identify critical claims │ └── Determine algorithm ├── Vulnerability Testing │ ├── Algorithm confusion tests │ ├── Signature bypass attempts │ └── Claim manipulation └── Impact Assessment ├── Authentication bypass ├── Privilege escalation └── Data access Testing Tools Tool Purpose Features jwt_tool JWT manipulation Algorithm attacks, claim fuzzing Burp JWT Editor Token analysis Real-time editing, validation c-jwt-cracker HMAC brute force Dictionary attacks, custom wordlists JWT2John Password cracking Extract for John the Ripper 10. Secure Development Practices Implementation Checklist Security Control Verification Risk Level Algorithm Allowlist Explicitly define allowed algorithms Critical Signature Verification Mandatory for all tokens Critical Key Management Secure generation, storage, rotation High Claim Validation Validate issuer, audience, expiration High Error Handling No information leakage Medium Framework-Specific Guidance SECURE IMPLEMENTATION PATTERNS: ├── Node.js/Express │ ├── Use jsonwebtoken with algorithm option │ ├── Implement proper error handling │ └── Validate all claims explicitly ├── Python/Django │ ├── PyJWT with algorithms parameter │ ├── Custom middleware for validation │ └── Secure key storage ├── Java/Spring Boot │ ├── Spring Security JWT support │ ├── Algorithm validation configuration │ └── JWK Set endpoints └── .NET/ASP.NET Core ├── Microsoft.IdentityModel.JsonWebTokens ├── TokenValidationParameters └── Strict algorithm validation Security Testing Strategy Test Category Test Cases Expected Result Algorithm Tests none, HS256→RS256, invalid Reject all invalid algorithms Signature Tests Missing, empty, invalid Reject all invalid signatures Claim Tests Expired, wrong audience, missing Validate all critical claims Header Tests kid injection, jku manipulation Reject malicious parameters Key Takeaways Algorithm Validation: Always use explicit algorithm allowlists Signature Verification: Never skip signature verification Key Management: Use separate keys for different algorithms Claim Validation: Validate all security-relevant claims Library Updates: Keep JWT libraries current with security patches This guide compiles practical JWT security knowledge from 24 research sources. Stay updated with emerging JWT attack techniques and library vulnerabilities. ...