BIPI
BIPI

JWT Attacks Cookbook: alg=none, kid Injection, JWK Spoofing, Cracking

Cybersecurity

A practical cookbook for JWT exploitation: alg confusion, kid path traversal, embedded JWK abuse, and cracking weak secrets at scale.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 23, 2024 · 11 min read

#jwt#authentication#pentesting#crypto

JWT remains the most attacked auth token format because libraries are easy to misuse and developers rarely understand the algorithm field. The vulnerabilities below have been documented for years yet keep appearing in fresh engagements.

Reconnaissance

  • Decode the header to identify alg, kid, jku, jwk, x5u, and typ fields
  • Note whether the same token is used across multiple services
  • Identify the library via known quirks (PyJWT, jsonwebtoken, jose, jjwt)
  • Check for predictable claims: incrementing IDs, default roles
  • Look for tokens in localStorage, cookies, and Authorization headers

alg=none Attack

Older libraries accept tokens with alg set to none and an empty signature. Re-encode the header with alg none, modify the payload, drop the signature, and submit. Variations: None, NONE, nOne to bypass naive string comparisons.

Algorithm Confusion: RS256 to HS256

If the server uses RS256 but accepts HS256 with the public key as the HMAC secret, you can forge tokens. Grab the public key from a JWKS endpoint or x509 cert, sign your payload with HS256 using that key as the secret, and you bypass auth.

kid Injection

  1. Path traversal: kid set to a path that points to /dev/null with empty HMAC secret
  2. SQL injection: kid set to a value that returns attacker-controlled key bytes
  3. Command injection in poorly written kid resolution
  4. Force loading of a known-public file as the HMAC key

jku and jwk Header Spoofing

If the server fetches keys from a URL in the jku header without allowlist, point jku at your own JWKS hosted on attacker.com. Some libraries even accept an embedded jwk in the header, letting you sign with a key you generated and assert it as trusted.

Cracking Weak Secrets

  • hashcat mode 16500 with a rockyou wordlist for HS256 secrets
  • jwt_tool with the crack flag wraps the same workflow
  • Common dev secrets: secret, password, your-256-bit-secret, change-me
  • Hardcoded secrets in mobile app reverse engineering hit constantly
  • If cracking succeeds, you forge any claim you want
A JWT with a 6 character HMAC secret is not authentication. It is base64 with extra steps.

Claim Manipulation

Once you can sign, the payoff is in the claims. Look for role, isAdmin, tenant_id, scope, and aud. Watch for confused deputy bugs where a token issued for service A is accepted by service B without aud validation.

Remediation

  1. Pin the expected algorithm explicitly; never trust the header
  2. Use library APIs that require algorithm specification on verify
  3. Allowlist jku hosts and ignore embedded jwk in untrusted tokens
  4. Validate iss, aud, exp, and nbf on every verification
  5. Rotate secrets and use keys of at least 256 bits of entropy
  6. Prefer short-lived tokens plus refresh tokens over long-lived access tokens
CVE-2022-23529
jsonwebtoken signature verification bypass
30s
to crack a 6-character HMAC secret with hashcat
4 fields
iss, aud, exp, nbf: validate them all

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.