Flawed Signature Verfication
Servers don't store any JWT-related information, thus, they don't know anything about its contents.
Accepting Arbitrary Signatures
JWT libraries usually provide 2 methods, one for verification and one for decoding. For example, Node.js's jsonwebtoken library has the verify() and decode() methods. If a developer only use the latter the application won't verify the signature at all.
LAB: JWT Authentication Bypass via Unverified Signature
Goal: Modify your session token to gain access
/adminand then delete the usercarlos.
Accepting Tokens Without Signature
The JWT header contains an alg parameter which tells the server which algorithm was used to sign the token, i.e., which alogirthm it needs to use when veryfing the signature. This is inherently flawed as it is user-controlled. JWTs can be also left unsigned using "alg":"none", aka unsecure JWT. Servers usually reject this tokens, but since this relies on string parsing, it can be obfuscated.
Even if the token is unsigned, the payload part must end with a trailing dot.
LAB: JWT Authentication Bypass via Flawed Signature Verification
Goal: Modify your session token to gain access
/adminand then delete the usercarlos.
Last updated