JWT Attack Lab
A sandbox environment to test JWT vulnerabilities and attacks
JWT Token
Paste a JWT token to decode and manipulate
Attack Techniques
JWT Security Guide
Common JWT Vulnerabilities
- alg=none Attack: Setting the algorithm to "none" to bypass signature verification
- Weak Secrets: Using easily guessable secrets for HS256 algorithm
- Algorithm Confusion: Changing RS256 to HS256 to use public key as HMAC secret
- Payload Manipulation: Modifying claims like "admin": true without invalidating signature
Security Best Practices
- Use strong, randomly generated secrets (at least 32 bytes)
- Validate the algorithm before verification
- Set appropriate expiration times with "exp" claim
- Include "aud" (audience) claim to specify intended recipients
- Implement proper key rotation procedures
- Consider using JWE (encrypted tokens) for sensitive data