Advanced JWT Exploitation Techniques: Going Beyond the Basics

Introduction

JSON Web Tokens (JWTs) are widely adopted for secure, stateless authentication across web applications, APIs, and microservices. While JWTs bring many benefits, such as efficient session management and scalable authentication, they are also prone to a range of vulnerabilities when misconfigured or improperly implemented.

In this post, we’ll go beyond the basics of JWT exploitation, exploring advanced techniques for bypassing authentication, gaining unauthorized access, and achieving privilege escalation.

1. JWT Basics: The Foundation for Advanced Exploits

A JWT typically consists of three base64-encoded parts:

• Header: Specifies the token’s algorithm (alg) and token type.
• Payload: Contains the token’s claims, including user details and access levels.
• Signature: Verifies that the token hasn’t been altered. It’s generated by encoding the header and payload with a secret key.

Here’s a quick JWT structure:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The security of JWTs relies on robust key management and proper validation of each token component. However, slight misconfigurations or weak practices can open up serious attack vectors.

2. Common JWT Exploits and Advanced Techniques

1. The “None” Algorithm Attack

• Explanation: In some cases, developers mistakenly allow none as a signing algorithm, which skips signature verification entirely. This leaves the JWT effectively unsigned.
• Exploit: If the server accepts none as a valid algorithm, an attacker can alter the JWT payload and set the alg header to none. This allows attackers to bypass authentication and escalate privileges by modifying claims, such as setting the role to admin.

• Example Payload:
  

   {
     "alg": "none",
     "typ": "JWT"
   }
  

• Steps:

  1. Decode the JWT and alter the payload, e.g., changing "role": "user" to "role": "admin".
  2. Remove the signature part of the token and set the alg to none.
  3. Send the manipulated JWT to the server and verify if you gain elevated privileges.

2. Weak Key Vulnerabilities in HMAC (HS256)

• Explanation: If a weak secret is used with symmetric algorithms like HS256, it’s possible to brute-force the signature or predict the key.
• Exploit: With tools like JWT Cracker, try common or weak secrets such as admin, password, or the application name.
• Steps:
  1. Capture a valid JWT.
  2. Use a brute-force tool or wordlist to crack the secret key.
  3. Once the secret is known, you can create valid tokens with any claims.

Common tools for brute-forcing:
- jwt_tool.py
- hashcat (supports JWT cracking with hash mode 16500 for HS256)

3. Key Confusion Attacks

• Explanation: Key confusion happens when an application uses symmetric (HS256) and asymmetric (RS256) algorithms interchangeably without verification. This allows attackers to substitute an RS256 JWT with an HS256 token, signing it with the server’s public key.
• Exploit: If the server doesn’t differentiate between RS256 and HS256, you can use the public key (available to anyone) as a secret for an HS256 token.
• Steps:
  1. Get the server’s public key (often available in the application’s open configuration or public JWKS).
  2. Encode your JWT header to use HS256 and set the payload to admin.
  3. Sign the JWT using the public key as the secret.
  4. Send the crafted JWT and check if it bypasses authentication.

4. Claim Tampering and Lack of Validation

• Explanation: Claims within a JWT are user data fields, but if they’re not validated by the server, attackers can modify them to escalate privileges.
• Common Claims to Manipulate:
  • iat (Issued At): Modifying it can bypass time-based restrictions.
  • exp (Expiration): Changing expiration can extend session validity indefinitely.
  • sub (Subject): Changing sub to impersonate another user.
• Steps:
  1. Decode the JWT and modify claims directly, such as exp for expiry or sub for user identity.
  2. Re-sign the JWT if you know the secret, or if it’s vulnerable to weak key exploits.
  3. Test whether the server accepts the modified token.

5. SQL Injection via JWT Claims

• Explanation: If claims are directly used in database queries without sanitization, SQL injection attacks may be possible. This usually occurs when claims like sub or username are concatenated into database queries.
• Steps:
  1. Modify a claim (e.g., sub) to include SQL injection payloads like '; DROP TABLE users;--.
  2. Check if the application’s response or database behavior reflects SQL injection.

6. Cross-JWT Token Forgery (XJWT)

• Explanation: Cross-JWT token forgery involves reusing JWTs across services that accept tokens from different origins without verification.
• Exploit: If two services don’t validate the aud (audience) claim consistently, attackers can reuse tokens issued for one service to authenticate on another, bypassing intended access controls.
• Steps:
  1. Obtain a JWT from a service with a lower access level.
  2. Attempt to reuse the JWT on a more privileged service that lacks proper aud validation.

7. JWT Signature Bypasses with JKU Header Injection

• Explanation: The jku (JSON Web Key Set URL) header allows the token to specify a URL to fetch a public key. If this URL isn’t properly validated, attackers can supply their own key server, generating valid tokens signed by their own keys.
• Exploit: Manipulate the jku header to point to an attacker-controlled server.
• Steps:
  1. Set up a server that provides a fake JSON Web Key Set (JWKS).
  2. Modify the JWT to include a jku header pointing to the malicious JWKS URL.
  3. Sign the token with the attacker’s private key and send the JWT to the server.

3. Real-World Example Attack Scenarios

Example 1: Privilege Escalation via Weak JWT Key on HS256

1. Capture a JWT with HS256 signing from the application.
2. Use a brute-force tool to guess the secret (often found with a weak wordlist).
3. Decode the payload and set "role": "admin".
4. Re-sign the token and send it to the server, checking if you gain administrative access.

Example 2: Exploiting None Algorithm to Bypass Authentication

1. Observe that the application supports alg=none.
2. Modify the token’s header to set alg to none.
3. Update the payload to escalate privileges, e.g., "role": "superuser".
4. Send the tampered token to gain elevated privileges.

Example 3: Gaining Unauthorized Access via Cross-JWT Token Forgery

1. Capture a JWT from Service A with lower access.
2. Send the same token to Service B, bypassing aud claim verification.
3. Check if Service B grants access, thus bypassing the cross-service security barrier.

4. Defending Against Advanced JWT Exploits

1. Enforce Strong Key Management Practices

• Use unique, strong secrets for HS256 tokens, avoiding common or guessable keys.
• Rotate keys regularly and avoid hard-coding secrets in application code.

2. Restrict Algorithm Usage

• Only use algorithms necessary for your application and avoid using none.
• Enforce RS256 over HS256 where possible to separate signing and verification keys.

3. Validate All JWT Claims Carefully

• Validate claims like aud, exp, and sub to prevent tampering or unauthorized reuse.
• Set strict conditions for iat and exp to avoid indefinite token validity.

4. Avoid Using jku and kid Without Validation

• Do not rely on external sources for public key retrieval, or validate these URLs if you must use them.
• Disable jku and kid headers if not required.

5. Monitor for Anomalous Token Behavior

• Track token usage patterns, such as excessive token reuse or invalid claim modifications.

• Implement rate limiting and anomaly detection for authentication endpoints.

Conclusion

JWT misconfigurations and weaknesses are a high-impact attack vector that can expose applications to privilege escalation, unauthorized access, and data breaches. By understanding and leveraging advanced JWT exploitation techniques, bug bounty hunters and security experts can reveal hidden vulnerabilities in applications, emphasizing the need for strong security measures around token handling.