{"id":728,"date":"2025-03-06T23:31:55","date_gmt":"2025-03-06T21:31:55","guid":{"rendered":"https:\/\/www.cloudtango.net\/blog\/?p=728"},"modified":"2025-03-06T23:31:56","modified_gmt":"2025-03-06T21:31:56","slug":"a-guide-to-json-web-tokens-jwts","status":"publish","type":"post","link":"https:\/\/www.cloudtango.net\/blog\/2025\/03\/06\/a-guide-to-json-web-tokens-jwts\/","title":{"rendered":"A Guide to JSON Web Tokens (JWTs)"},"content":{"rendered":"

Not too long ago, JSON Web Tokens (JWTs) were widely regarded as a go-to solution for authentication, praised for their security, scalability, and simplicity. However, today, the penetration testing team at CybaVerse\u2014along with other security researchers\u2014frequently uncovers high and critical vulnerabilities in their implementations.<\/p>\n

The thing is automated scanners don\u2019t typically pick up JWT misconfigurations with default settings. A thorough penetration test, however, can expose serious flaws that, if exploited, could undermine confidentiality, integrity, and availability. These three principles form the foundation of cyber security, and failing in any of them can lead to financial loss, reputational damage, or regulatory fines.<\/span>\u00a0<\/span><\/p>\n

JWTs are just one option for authentication and authorisation, both of which are equally essential to security. Authentication confirms who you are, while authorisation determines what you can access. JWTs often include claims that define a user\u2019s roles, permissions, and access levels, but if these are not properly validated, attackers can modify them to escalate privileges or bypass restrictions altogether.<\/span>\u00a0<\/span><\/p>\n

Understanding the risks is the first step to securing JWTs effectively. The next section covers how attackers exploit them, followed by ways to strengthen their security.<\/span><\/p>\n

They Work and Why They Matter<\/span><\/h4>\n

Before diving into exploits, it\u2019s important to understand what JWTs are and how they work. As previously mentioned, JWTs are widely used for authentication and authorisation. They allow systems to verify a user\u2019s identity and access level without requiring session data to be stored on the server. Unlike traditional session tokens, all the necessary data is stored on the client-side within the JWT itself. This makes them a popular choice for highly distributed websites, allowing users to interact seamlessly across multiple back-end servers.<\/span><\/p>\n

\"Figure<\/div>\n

Figure\u00a0<\/span>1<\/span>\u00a0decoded example of a JWT<\/span><\/em>\u00a0<\/span><\/p>\n

A JWT consists of three parts: the\u00a0header,\u00a0payload, and\u00a0signature. These are Base64-encoded and joined together with dots, forming a compact token that looks like this:<\/span><\/p>\n

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkN5YmFWZXJzZSIsImFkbWluIjp0cnVlLCJpYXQiOjE3Mzg2MTEzOTksImV4cCI6MTczODYxNDk5OX0.aS3zuaxqSRln7x1w8yoDZh6ikgxok4iHykNORwNsrVY<\/p>\n

Let\u2019s break it down.<\/p>\n

Header<\/h3>\n

The header contains information about how the JWT is signed.<\/span><\/p>\n

{<\/span>\u00a0<\/span><\/p>\n

\u00a0 “typ”: “JWT”,<\/span>\u00a0<\/span><\/p>\n

\u00a0 “alg”: “HS256”<\/span>\u00a0<\/span><\/p>\n

}<\/span>\u00a0<\/span><\/p>\n

The\u00a0<\/span>alg<\/span><\/i><\/strong>\u00a0field specifies the signing algorithm, such as HS256 (HMAC SHA-256) or RS256 (RSA SHA-256). The<\/span>\u00a0typ<\/span><\/i><\/strong>\u00a0field just indicates this is a JWT.<\/span>\u00a0<\/span><\/p>\n

Payload<\/h3>\n

The payload holds the claims, which are details about the user and their permissions.<\/span><\/p>\n

{<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0 “sub”: “1234567890”,<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0 “name”: “CybaVerse”,<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0 “admin”: true,<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0 “iat”: 1738611399,<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0 “exp”: 1738614999<\/span><\/i>\u00a0<\/span><\/p>\n

}<\/span><\/i>\u00a0<\/span><\/p>\n

In this example:<\/span><\/p>\n