JSON web tokens (JWTs) are a standard format for sending cryptographically signed JSON data between systems. They’re commonly used in authentication, session management, and access control…

TowardsDev's platform is a resource for developers, offering insights into software development, coding tutorials, and technology news. Through articles, tutorials, and coding challenges, TowardsDev offers insights into programming languages, development frameworks, and best practices in software engineering. Readers can learn about algorithms, data structures, and problem-solving techniques to enhance their coding skills and prepare for technical interviews.

Towards Dev

JWT attacks can allow attackers to modify tokens and escalate privileges or impersonate users. These attacks can be prevented by using strong algorithms, verifying signatures, validating claims, and implementing proper security measures.

JWT attacks

JWT authentication bypass via unverified signature

JWT authentication bypass via flawed signature verification

Brute-forcing secret keys: JWT authentication bypass via weak signing key

JWT authentication bypass via jwk header injection

Injecting self-signed JWTs via the jku parameter

Injecting self-signed JWTs via the kid parameter

<p>Good article in order to have a good overview of the JWT vulns. Well explains.</p>
<p>Maybe some other tools can be interesting:</p>
<ul>
<li><a href="https://github.com/ticarpi/jwt_tool" target="_blank" rel="noopener nofollow">https://github.com/ticarpi/jwt_tool</a> (classic and very useful)</li>
<li><a href="https://github.com/cerberauth/vulnapi" target="_blank" rel="noopener nofollow">https://github.com/cerberauth/vulnapi</a> (mine, not as exhaustive yet but can scan automatically)</li>
</ul>
