Question 1

What JWT attacks can I test?

Accepted Answer

The JWT Attacker supports 5 attack classes: alg:none (algorithm none bypass), kid injection (SQL injection/OS command in key ID header), secret cracking (brute-force common JWT secrets), algorithm confusion (RS256 to HS256 key misuse), and weak secret detection.

Question 2

How does the JWT algorithm confusion attack work?

Accepted Answer

Algorithm confusion exploits servers that trust the JWT header's alg field. If the server uses RS256 (asymmetric) but accepts HS256 (symmetric), an attacker can forge tokens using the public RSA key as an HMAC secret, since the public key is often discoverable.

JWT Attacker

Results