JSON Web Tokens (JWT) have become the default authentication token format in modern APIs. They’re compact, stateless, and when implemented correctly, secure. When implemented poorly, they’re a source of authentication bypass and privilege escalation. This module covers JWT structure, common attacks, and the concrete defences.

JWT structure

header.payload.signature

# Base64-decoded example:
Header:    {"alg":"HS256","typ":"JWT"}
Payload:   {"sub":"priya","role":"admin","exp":1700000000}
Signature: HMAC-SHA256(header + "." + payload, SECRET)

Signature is what makes JWT tamper-evident. Change the payload, signature no longer matches, verifier rejects.

Attack 1: alg=none

JWT spec includes an “alg” header field. One value: none — meaning no signature. Historical JWT libraries accepted alg:none at verification — trusting the header without actually checking the signature.

# Modified JWT with alg=none:
eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.
# (empty signature, decoded header says alg=none)

# Vulnerable verifier: signature check skipped because alg=none
# Attacker is now admin

Defence: explicitly reject alg: none. Whitelist allowed algorithms. Most modern libraries fixed this but legacy code still appears.

Attack 2: Algorithm confusion (HS256 vs RS256)

HS256 = HMAC with shared secret. RS256 = RSA signature with public/private keypair. If server uses RS256 but an older library uses the “verify key” inconsistently:

# Attacker knows RSA public key (typically published /.well-known/jwks.json)
# Attacker creates JWT with alg=HS256
# Signs with the public key as the "HMAC secret"
# Vulnerable verifier: "alg says HS256, so use secret for HMAC verification"
# Picks up the public key (normally used for RSA verification)
# HMAC-verifies with public key — passes!

Defence: explicit algorithm pinning in verification code. Don’t trust header’s alg; configure verifier to require specific alg.

Attack 3: Weak HMAC secret

HS256 uses a shared secret. If secret is weak (short, common word, default), attacker cracks it offline using the JWT itself:

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

9 more sections locked below

Module 13 · JWT Attacks 🔒

JWT structure

Attack 1: alg=none

Attack 2: Algorithm confusion (HS256 vs RS256)

Attack 3: Weak HMAC secret

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 4 · SQL Injection in 2026 <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 7 · Business Logic Flaws <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 6 · IDOR & Authorization Bypass <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>