Breaking JWT Auth Misconfigurations in the Wild
Overview
JSON Web Tokens (JWTs) are everywhere. They're in your SaaS products, your mobile apps, your internal tooling. And they're consistently misconfigured in ways that give attackers full account takeover.
This post documents the most common JWT vulnerabilities I encounter during penetration testing engagements — not the theoretical ones, but the real ones that appear in production systems.
The Algorithm Confusion Attack
The most dangerous JWT vulnerability is also one of the most well-known. When a backend accepts both `RS256` and `HS256` tokens, an attacker can take the RSA public key and use it as the HMAC secret to forge valid tokens.
import jwt
import requests
# Grab the public key from a known endpoint
pubkey = requests.get("https://target.com/.well-known/jwks.json").text
# Forge a token using HS256 with the public key as the secret
forged = jwt.encode(
{"sub": "admin", "role": "superuser"},
pubkey,
algorithm="HS256"
)
Weak Secrets
Still finding JWTs signed with `secret`, `password123`, and the app's domain name. If the secret can be guessed or brute-forced, the token can be forged.
Tool of choice: **hashcat** with mode 16500 (JWT).
Missing Validation
Not verifying the signature at all. Not checking expiration. Not validating the audience claim. These happen more than you'd think, especially in microservice architectures where developers assume upstream validation already happened.