Attacking on Json Web Token“(JWT)”

JSON Web Token (JWT) is a standard used to share information between a client and a server. Each JWT contains encoded JSON objects,including a set of claims. JWTs are signed using a secret key with the HMAC algorithm or a public key /private key pair using RSA.

JWTs generally have three parts: a header, payload, and a signature. Each part is base64 encoded.

  1. Header: The header section consists of two parts 1) Type of the Token 2) Algorithm used for signing such as (HMAC ,SHA256) 

The header structure:

  "alg" : "HS256",
  "typ" : "JWT"

base64url encoded string: eyBhbGcgOiBIUzI1NiwgdHlwIDogSldUIH0K

  1. The Payload might  look something like this :

The payload structure:

  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
  1. Signature: Signature is  the part that is used to validate the token SHA256-HMAC of the payload and a secret key is used .

The signature structure:

  base64UrlEncode(header) + "." +

Ways to Bypass the JWT Token Controls

When  JWT  is implemented correctly on the server side, it provides a secure way to identify the user. If a user does not have access to the  secret key, the user cannot sign in to the application.

But sometimes, the JWT is not configured properly. There are ways an attacker can bypass the authentication and authorization process.

Bypassing techniques for JWT

1)NONE Algorithm

2)Kid manipulation

3)Brute forcing the secret key

4)Leaking the secret key

None algorithm: JWT supports a None algorithm.If the field is set to NONE, any token would be considered valid if the signature section is set to empty 

Example :

  "alg" : "none",
  "typ" : "JWT"
  "super user" : "nick"

HMAC algorithm : The most common algorithms used for JWTs are  HMAC and RSA .For HMAC,the token is signed with a key and later verified with the same key .For RSA, the token would be first created with the private key and later verified with the public key.

Provide a non valid signature: This is the best way an attacker can simply bypass the authentication and authorization by providing an invalid signature.

Bruteforce the secret key : It is also possible to brute force the JWT. If the secret key  is used to sign the token that is not complex enough, then the attacker can bruteforce it easily.

KID manipulation: Kid stands for KEY ID. By using this algorithm, developers can specify the key that is used for verifying the token.

Example of KID parameter :

  "alg" : "HS256",
  "typ" : "JWT",
  "kid" : "123"       // use key number 123 to verify the token

Difference between Session Cookies and  JWT (JSON Web Tokens)for session management

session based approachJSON web token approach
After successful authentication the server generates a cookieIn the JWT approach, the server generates the access token.
The server generates a session ID(sign it using (‟Secret key″)The server generates an “accessToken”, encrypting the “userId” and “expiresIn”, with the ACCESS_TOKEN_SECRET,and sends the “accessToken” to the browser (client side)
The browser (client side) receives the “cookie” in the response from The server, and saves it in the “cookie” storageThe browser (client side) receives the “AccessToken” and saves it on the client- side.
Cookies are included in every subsequent request to the server.The access token includes every subsequent request to the server.


1) JWT Token can be validated without connecting to the authorization server on every  API   Invocation.

2) Supports scopes and users defined as claims in the JWT. It contains a username and a group, and it also supports a custom claim.

3) JWT Token can  be stored in local storage and index db .This will provide protection against CORS and CSRF attacks .

4) Finally, the application can store almost any data in the payload, which can increase the application’s efficiency.


JWTs are very popular and highly recommended. If we use them correctly, JWT can prevent errors related to inadequate authorization.

Leave A Comment

Your email address will not be published. Required fields are marked *