π Welcome back to the blog!
Today weβre diving into the world of JWT Tampering. You’ll see how an attacker can go from a basic user to full-blown admin by exploiting insecure JWT implementations. Weβll walk through how JWTs work, common vulnerabilities, and top it off with a real-world demo using our intentionally vulnerable app β PinewoodStore.
Ready to hack some tokens? Letβs go. π
π§ What is JWT Authentication?
JWT (JSON Web Token) is a compact, self-contained way to transmit information between parties securely. It’s often used for authentication in modern web applications and APIs.
Hereβs what happens when a user logs in:
- Server verifies credentials β
- Server generates a JWT signed with a secret/private key π§Ύπ
- Server sends this JWT back to the client
- Client sends the JWT in every subsequent request using the
Authorizationheader
𧱠Structure of a JWT
<Header>.<Payload>.<Signature>
Each part is Base64URL-encoded and has a specific purpose:
1. Header
Purpose: Describes the token type and signing algorithm.
Format: Base64URL-encoded JSON.
Example Decoded:
{
"alg": "HS256", // Signing algorithm (e.g., HMAC-SHA256)
"typ": "JWT" // Token type
}
Key Fields:
alg: Algorithm used for the signature (HS256,RS256,ES256, etc.)typ: Always"JWT"for standard tokenskid(optional): Key ID β used for key rotation in systems with multiple signing keys
π Security Note:
- Header is not encrypted, only Base64URL-encoded.
- Never accept tokens with
alg: "none"β that means no signature at all!
2. Payload (Claims)
Purpose: Contains user data and metadata (claims).
Format: Base64URL-encoded JSON.
Example Decoded:
{
"sub": "user123", // Subject (user ID)
"iat": 1516239022, // Issued-at timestamp
"exp": 1516242622, // Expiration timestamp
"roles": ["admin"], // Custom claim
"name": "John Doe" // Custom claim
}
π Standard Claims (from RFC 7519):
| Claim | Purpose | Example |
|---|---|---|
sub | Subject (user ID) | "sub": "user123" |
iat | Issued at | Unix timestamp |
exp | Expiration | Unix timestamp |
aud | Audience | "aud": ["api.example.com"] |
iss | Issuer | "iss": "auth-server" |
β¨ Custom Claims:
- Used to store app-specific data, like
roles,permissions,name,email, etc. - Do not store sensitive info (e.g., passwords) β payload is not encrypted!
3. Signature
Purpose: Verifies the tokenβs integrity and authenticity.
How It’s Created:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secretKey )
Key Fields/Concepts:
- Signing Algorithm: Depends on
algin the header (HS256,RS256, etc.) - Secret Key / Private Key: Used to sign the token
- Signature: Final output of the algorithm; prevents tampering
β If the header or payload is modified, the signature becomes invalid unless the attacker has the signing key.
π Bearer Token Usage
JWTs are typically included in the Authorization header when calling APIs:
GET /protected HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
π Common JWT Vulnerabilities
Letβs break down where things go wrong β and how attackers take over accounts like a boss. π§ π₯
1. π« alg: none Vulnerability
If the server doesnβt enforce signature checks, an attacker can send an unsigned token:
{
"alg": "none",
"typ": "JWT"
}
π₯ Exploit:
curl -H "Authorization: Bearer <unsigned-token>" http://target.com/api
β
Fix: Always verify the signature and reject alg: none.
2. π Algorithm Confusion
If the server supports both RS256 (asymmetric) and HS256 (symmetric) without validation…
An attacker can forge an HS256 token using the public key as a secret.
jwt.encode({"sub": "admin"}, key=public_key, algorithm="HS256")
π₯ Boom! You’re admin.
β Fix: Lock down supported algorithms and enforce strict verification.
3. π Ignored Expiration
If the exp field isnβt checked, a token can be reused forever.
{
"exp": 1600000000
}
π§ͺ Test:
curl -H "Authorization: Bearer <expired-token>" http://target.com/api
β
Fix: Always validate exp.
4. π No Signature Verification
This is what we exploited in PinewoodStore π
Vulnerable Code:
private Map<String, Object> extractAllClaims(String token) {
String[] parts = token.split("\\.");
String payloadJson = new String(Base64.getUrlDecoder().decode(parts[1]));
return objectMapper.readValue(payloadJson, Map.class);
}
π± It just decodes the token without verifying the signature.
πΏ Modify the payload to:
{
"sub": "admin",
"roles": ["admin"]
}
Then Base64 encode it and send it with the original header and signature. The server doesnβt care β youβre now admin.
π§ͺ Real-World Demo: PinewoodStore
Here’s how we take over an account using JWT tampering in PinewoodStore:
𧩠Steps:
- Log in as a normal user β get a valid JWT
- Decode the payload:
{ "sub": "user", "roles": ["user"] } - Modify to:
{ "sub": "admin", "roles": ["admin"] } - Base64 encode and rebuild the token
- Send request with:
Authorization: Bearer <forged-token>
π₯ You’re now in the admin panel!
π JWT Testing Matrix
| Test Case | Should Be Rejected? |
|---|---|
1. alg: none | β Yes |
| 2. Expired token | β Yes |
| 3. Tampered payload | β Yes |
| 4. Algorithm switch | β Yes |
| 5. Missing signature | β Yes |
π§ͺ Tools to Help You Hack JWTs
- π§ jwt_tool β Modify, sign, test tokens
- π Burp Suite JWT Scanner Extension
- π§ͺ Postman for quick token tests
- π jwt.io debugger
β JWT Security Best Practices
- π Always verify the signature
- β Never accept
alg: none - π Enforce token expiration
- β Donβt put sensitive info in the payload
- π Use strong secrets (for HS256)
- π§Ύ Prefer short-lived access tokens and refresh tokens
- β Implement role-based access control on the server
π§ Summary
JWTs are powerful, but power without control is dangerous.
As shown in PinewoodStore, skipping a simple signature check can lead to full account takeover.
So next time you build or audit a JWT-based app, ask:
π€ “What happens if someone tampers with this token?”
If the answer is “Nothing”, then you’re doing it right. π
