By Mahmoud Hawash → reach me on LinkedIn

go to attacks, Skip Introduction

• Sources, Credits:
  • PortSwigger
  • Bug Bounty Bootcamp by Vickie Li
  • PentesterLab
• Notes Headers Style:
  • header 1
    • ⇒ header 2
      • → header 3

What is JSON Web Tokens (JWT)

JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data but are most commonly used to send information ("claims") about users as part of authentication, session handling, and access control mechanisms.

Unlike with classic session tokens, all of the data that a server needs is stored client-side within the JWT itself. This makes JWTs a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers.

⇒ JWT format → Header.Payload.Signature

→ Header

• header identifies the hash algorithm used to generate the signature (base64url-encoded)
• example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 is the encoding of { "alg" : "HS256", "typ" : "JWT" }

→Payload

The payload section contains information about the user’s identity. This section, too, is base64url encoded before being used in the token. Here’s an example of the payload section, which is the base64url-encoded string of { "username" : "admin" }: eyAidXNlcm5hbWUiIDogImFkbWluIn0

→Signature

The server that issues the token typically generates the signature by hashing the header and payload. In some cases, they also encrypt the resulting hash. Either way, this process involves a secret signing key. This mechanism provides a way for servers to verify that none of the data within the token has been tampered with since it was issued:

• As the signature is directly derived from the rest of the token, changing a single byte of the header or payload results in a mismatched signature.
• Without knowing the server's secret signing key, it shouldn't be possible to generate the correct signature for a given header or payload.