Keys to JWT Assessments - From a Cheat Sheet to a Deep Dive

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/keys-to-jwt-assessments-from-a-cheat-sheet-to-a-deep-dive
• Blog Title: Keys to JWT Assessments - From a Cheat Sheet to a Deep Dive
• Suggested Section: 🕸️ Pentesting Web -> JWT Vulnerabilities (Json Web Tokens) (add/expand a practical assessment checklist + tooling notes: Burp JWT Editor, jwt_tool, hashcat; include jku/x5u, embedded jwk, kid traversal patterns, and signature-validation sanity check)

🎯 Content Summary

TrustedSec (Aaron James) provides a practical, tool-driven methodology for assessing JSON Web Tokens (JWTs) in real web applications, focusing on how JWT-based stateless session management works and how common JWT/JWS verification mistakes can be exploited to forge tokens (usually to escalate privileges by modifying payload claims like role, id, username, email, etc.). The post is structured as a quick-reference cheat sheet plus a deeper implementation walkthrough of each test/attack.

1. JWT fu...

🔧 Technical Details

Scoping stateless session controls (bare-minimum token isolation): Pick a sensitive/user-specific endpoint (e.g., profile data) and remove cookies/tokens/headers one by one until access fails. The remaining value(s) are the true session/authorization mechanism(s), giving you a stable replay target for JWT tampering tests.

JWT discovery via Burp regex search: If extensions don’t highlight tokens, use Target > Site map > right-click host > Engagement tools > Search, enable regex, and search for JWT-like patterns such as [= ]eyJ[A-Za-z0-9_-]\.[A-Za-z0-9._-], eyJ[a-zA-Z0-9_-]+?\.[a-zA-Z0-9_-]+?\.[a-zA-Z0-9_-]+, and [= ]eyJ[A-Za-z0-9_\/+-]\.[A-Za-z0-9._\/+-]. Adjust filters because response-header-only searches tend to show issuance, not usage.

JWT reconnaissance (decode + pick targets): Decode JWT header/payload to identify (1) security controls like exp (lifetime) and alg (crypto choice) and (2) authorization-driving claims like role, id, username, email. Use Burp JWT Editor’s...

🤖 Agent Actions

Summary:

• Added a practical JWT assessment workflow (scoping session controls, Burp regex discovery patterns, decoding targets, and signature sanity checks) to guide real-world testing.
• Expanded exploitation guidance: HS256 cracking commands, signature tampering sanity test, RS256→HS256 key confusion via Burp JWT Editor, collaborator-based jku/x5u abuse, and a reproducible kid traversal/JWK trick.
• Enhanced tooling notes with Burp JWT Editor, jwt_tool usage highlights, and hashcat mode for HMAC cracking; updated references with the TrustedSec article and related resources.

No tests were run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/keys-to-jwt-assessments-from-a-cheat-sheet-to-a-deep-dive

Content Categories: Based on the analysis, this content was categorized under "🕸️ Pentesting Web -> JWT Vulnerabilities (Json Web Tokens) (add/expand a practical assessment checklist + tooling notes: Burp JWT Editor, jwt_tool, hashcat; include jku/x5u, embedded jwk, kid traversal patterns, and signature-validation sanity check)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0