JWT Algo Confusion

JSON Web Token (JWT) algorithm confusion is a critical vulnerability class that exploits how applications handle JWT signature verification. When a server is configured to accept multiple signing algorithms without proper validation, attackers can manipulate the token's algorithm header to trick the server into using a different verification method than intended - potentially allowing complete authentication bypass. JWT hacking through algorithm confusion is one of the most impactful JWT attacks discovered to date.

Understanding JWT Signing Algorithms

JWTs support two primary categories of signing algorithms: symmetric (HMAC-based, such as HS256) and asymmetric (RSA or ECDSA-based, such as RS256). With RS256, the server signs tokens using a private key and verifies them using the corresponding public key. With HS256, the same secret key is used for both signing and verification. This distinction is the foundation of the algorithm confusion attack.

How Algorithm Confusion Works

The attack exploits a dangerous interaction between these algorithm types. If a server uses RS256, its public key is often available (sometimes even published). An attacker can change the JWT header's algorithm from RS256 to HS256, then sign the modified token using the server's public key as the HMAC secret. When the server processes this token, a vulnerable implementation reads the algorithm from the token header, sees HS256, and uses its RSA public key as the HMAC verification key - exactly matching the attacker's signature. This allows the attacker to forge tokens with arbitrary claims.

Real-World Impact of JWT Hacking

Algorithm confusion vulnerabilities have been found in major JWT libraries across multiple programming languages, including Python's PyJWT, Node.js's node-jsonwebtoken, and PHP's firebase/php-jwt. When exploited, attackers gain the ability to forge administrative tokens, escalate privileges, impersonate any user, and completely bypass authentication. The widespread nature of this vulnerability led to significant security advisories and library updates across the JWT ecosystem.

Prevention and Secure Implementation

Secure JWT implementations must explicitly specify the expected algorithm on the server side rather than trusting the algorithm declared in the token header. Libraries should be configured to reject unexpected algorithm values, and applications should never allow algorithm switching between symmetric and asymmetric types. Keeping JWT libraries updated and following security best practices for token handling prevents algorithm confusion attacks.