Post

JSON Web Token (JWT) Playbook

This JWT guide covers everything you need to understand, test, and exploit JWT vulnerabilities in real-world applications.

Posted
JSON WEB TOKENS
JSON WEB TOKENS
By bericontraster
1 min read
JSON Web Token (JWT) Playbook

JSON Web Tokens (JWT)

A JSON Web Token (JWT), pronounced “jot,” is a compact, self-contained, and digitally signed standard (RFC 7519) for securely transmitting information as a JSON object between parties, commonly used for authentication and authorization in web apps and APIs.

Structure of a JWT

A JWT has three parts, separated by dots:

  • Header: Contains metadata like the token type (JWT) and signing algorithm (e.g., HMAC SHA256).
  • Payload: Contains the “claims” (user data, roles, expiration time).
  • Signature: Created by hashing the encoded header, encoded payload, and a server’s secret key, ensuring integrity

How JWTs Work (Authentication Example)

  1. Login: User provides credentials; server verifies them.
  2. Token Creation: Server creates a JWT with user info (claims) and signs it.
  3. Token Delivery: Server sends the JWT to the client (browser).
  4. Requesting Access: Client sends the JWT in the Authorization header with subsequent requests.
  5. Verification: Server verifies the signature; if valid, grants access

JWT vs JWS vs JWE

The JWT standard itself is intentionally minimal. It defines a structured way to represent a set of claims as a JSON object that can be passed between two parties, but it does not prescribe how those claims should be protected or used in practice.

In real-world implementations, JWTs are almost always realized through extensions to the core specification. These extensions are JSON Web Signature (JWS), which provides integrity through digital signatures, and JSON Web Encryption (JWE), which provides confidentiality by encrypting the token contents.

As a result, what is commonly referred to as a “JWT” is typically either a JWS or a JWE. In most cases, the term “JWT” is used to mean a JWS, where the claims are encoded and signed. JWE tokens follow a similar structure, but differ in that the claims are encrypted rather than merely encoded.

For more in depth learning please read JWT - PortSwigger documentation.

JWT Library

The following list contains information you can use to exploit JWT tokens.

  1. Testing JSON Web Tokens - OWASP
  2. JWT Security Testing/Penetration Testing Checklist

JWT Toolset

  1. JWT.IO
  2. GitHub - ticarpi/jwt_tool
Offensive Security
web-exploitation
This post is licensed under CC BY 4.0 by the author.