Module 04 — JWT Token Manipulation¶
Icon: 
Key | Colour: Purple
Overview¶
Analyses JSON Web Tokens for algorithm confusion, signature bypass, weak secrets, role escalation, and expiry validation issues.
How It Works¶
- Algorithm "none" attack — tests five variants of the
nonealgorithm to see if the server accepts unsigned tokens. - Weak secret brute-force — tests 40+ common secrets (
secret,password,123456, etc.) to check for guessable signing keys. - Role claim modification — modifies role/privilege claims in the token payload to test for privilege escalation.
- Expired token acceptance — sends expired tokens to see if the server enforces expiry validation.
- RS256 → HS256 confusion — attempts algorithm switching to exploit key-confusion vulnerabilities.
- Header injection — tests
jku,x5u, andkidheader parameters for injection. - Sensitive data in claims — checks if the token payload contains sensitive information (passwords, API keys, etc.).
Expected Findings¶
| Finding | Severity |
|---|---|
| "none" algorithm accepted | Critical |
| Weak signing secret | Critical |
| Role escalation possible | Critical |
| Algorithm confusion (RS256→HS256) | Critical |
| Header injection (jku/x5u/kid) | Critical |
| Expired JWT accepted | High |
| Missing expiry claim | Medium |
| Sensitive data in claims | Medium |
Related CWEs¶
- CWE-327: Broken Cryptographic Algorithm
- CWE-521: Weak Password Requirements
- CWE-269: Improper Privilege Management
- CWE-613: Insufficient Session Expiration
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-20: Improper Input Validation
Bearer Token Required
This module produces the most thorough results when a valid Bearer token is provided during scan creation.