exploiting-jwt-algorithm-confusion-attack
Installation
SKILL.md
Exploiting JWT Algorithm Confusion Attack
When to Use
- Testing APIs that use RS256 (asymmetric) JWT tokens for authentication to check for algorithm downgrade to HS256
- Assessing JWT implementations for alg:none bypass where the server skips signature verification
- Evaluating JWT libraries for key confusion vulnerabilities where the public key is used as HMAC secret
- Testing kid (Key ID), jku (JWK Set URL), and x5u (X.509 URL) header parameters for injection
- Validating that the API server enforces a specific algorithm and does not trust the JWT header
Do not use without written authorization. JWT exploitation can lead to authentication bypass and account takeover.
Prerequisites
- Written authorization specifying the target API and JWT-based authentication in scope
- A valid JWT token from the target API (obtained through legitimate authentication)
- The server's RSA public key (obtainable from JWKS endpoint, TLS certificate, or public key endpoint)
- Python 3.10+ with
PyJWT,cryptography, andrequestslibraries - jwt_tool for automated JWT attack testing
- Burp Suite with JWT Editor extension