Post cover image

June 22, 2026

JWT Attacks โ€” Breaking the Token

Hey everyone! Nitin here ๐Ÿ‘‹

Nitin yadav

2 min read

Ever wonder how a website remembers you're logged in? A lot of modern apps use something called a JWT. And when developers set them up wrong โ€” which happens A LOT โ€” you can forge your way into other accounts or even admin. Let me show you.

What's A JWT?

JWT = JSON Web Token. It's a little string the server gives you after login that says "this person is Nitin, a normal user." Your browser sends it with every request to prove who you are.

It has three parts separated by dots: header.payload.signature

  • Header โ€” what algorithm secures it
  • Payload โ€” the info (your user ID, role, etc.) โ€” this is just base64, you can READ it!
  • Signature โ€” the part that proves the token wasn't tampered with

The Bugs Live In How It's Checked

The whole security depends on the server properly verifying that signature. When it doesn't, beautiful things happen. ๐Ÿ˜ˆ

Classic JWT Attacks

1. The "none" algorithm trick: Some servers accept a token that says "algorithm: none" โ€” meaning NO signature needed. You just edit the payload (change your role to admin), set algorithm to none, and the server believes you. ๐Ÿ˜ณ

2. Weak secret: The signature is made with a secret key. If the developer used a weak one like secret or password, you can crack it (with a tool like hashcat) and then forge ANY token you want.

3. Reading the payload: Even when you can't forge, just DECODE the payload. Developers sometimes stuff sensitive data in there โ€” internal IDs, emails, even flags โ€” forgetting it's readable by anyone.

None

How To Hunt JWT Bugs

  1. Grab your JWT (it's in cookies or the Authorization header)
  2. Decode it โ€” use jwt.io or Burp's JWT tools โ€” and READ the payload
  3. Look at the role/user fields. Is there a "role": "user" you'd love to make "admin"?
  4. Test the attacks: try the none algorithm, try cracking the secret, try changing values and see if the server still accepts it
  5. If the server accepts your modified token โ†’ you've got a critical โœ…

Why It's High Impact

If you can forge tokens, you can become ANY user โ€” including admin. That's full authentication bypass and account takeover. Programs pay seriously for this.

My Honest Tip

Use Burp's "JWT Editor" extension. It handles all the fiddly encoding/signing so you can focus on the actual attacks instead of fighting base64 by hand. And always, ALWAYS decode the payload first โ€” the easiest JWT "bug" is just sensitive info sitting in plain sight.

Next post: GraphQL hacking โ€” the 2026 goldmine everyone's sleeping on.

Forge responsibly! ๐ŸŽซ