"It's signed, so it must be secure"

That's exactly what attackers rely on.

JWT Algorithm Confusion is not about cracking crypto. It's about making the server verify the token in the wrong way — and happily accept a forged one.

No brute force. No leaked secrets. Just abusing trust in configuration.

None
Created by Gemini

List: Wild Bug Bounty Bugs You've Probably Never Seen | Curated by Abhijeet kumawat | Medium

Wild Bug Bounty Bugs You've Probably Never Seen · 5 stories on Medium

medium.com

List: Bug Bounty from Scratch Series #1 to #25 | Curated by Abhijeet kumawat | Medium

Bug Bounty from Scratch Series #1 to #25 · 25 stories on Medium

medium.com

🧠 What JWT Algorithm Confusion Really Is

JWTs have three parts:

HEADER.PAYLOAD.SIGNATURE

The header contains an alg field, like:

{
  "alg": "RS256",
  "typ": "JWT"
}

Algorithm confusion happens when:

  • The server trusts the alg value from the token
  • And uses the wrong key type to verify it

In simple terms:

The server lets the attacker choose how the token is verified

That's the bug.

🎯 Why This Bug Is Critical

JWT Algorithm Confusion can lead to:

  • Full authentication bypass
  • Account takeover
  • Admin impersonation
  • API access without credentials

And the worst part?

👉 The token looks perfectly valid 👉 Signature verification still "passes" 👉 Logs show normal authentication

That's why this often becomes P1 / P0.

📹 Real Exploitation Flow (PoC Mindset)

None
3Application
  |
  | Expects JWT signed with RS256
  | (Public / Private key pair)
  ↓
Attacker
  |
  | Changes alg: RS256 → HS256
  | Uses PUBLIC key as HMAC secret
  ↓
Server
  |
  | ❌ Verifies token using wrong logic
  ↓
💥 Token accepted → Attacker authenticated

No crypto broken. Only logic abused.

🧪 Where to Look for JWT Algorithm Confusion

This bug appears where:

  • JWTs are used for authentication
  • Tokens are validated server-side
  • Multiple algorithms are supported (or misconfigured)

High-Risk Targets

  • APIs (Authorization: Bearer <JWT>)
  • Mobile backends
  • Admin panels
  • Microservices
  • SSO / internal tools

If JWTs protect anything valuable, test them.

🧪 How to Find JWT Algorithm Confusion (Step-by-Step)

Step 1: Capture a Valid JWT

Login normally and grab a token from:

  • Authorization header
  • Cookies
  • Local storage

Example:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Step 2: Decode the JWT

Use:

  • jwt.io (offline mode)
  • jwt_tool

Check the header:

{
  "alg": "RS256"
}

This tells you what the server expects.

Step 3: Obtain the Public Key (Critical)

Look for:

  • /.well-known/jwks.json
  • OpenID configuration
  • Public certificates
  • Mobile app configs

Common paths:

/.well-known/jwks.json
/.well-known/openid-configuration

If the public key is exposed → you're close.

Step 4: Change the Algorithm (Core Test)

Modify the JWT header:

{
  "alg": "HS256"
}

Now:

  • Treat the public key as the HMAC secret
  • Sign the token using HS256

If the server accepts it → 💥 Algorithm confusion confirmed

🧰 Tools You'll Actually Use

🔧 Core Tools

  • jwt_tool
  • CyberChef
  • Burp Suite (Repeater)
  • curl

No scanners. No fuzzing.

Understanding matters more than tools here.

🧪 Real Commands & Payloads

Using jwt_tool

python3 jwt_tool.py TOKEN \
  -X k \
  -pk public.pem \
  -I

Or manually create:

1️⃣ Header:

{"alg":"HS256","typ":"JWT"}

2️⃣ Payload (modify role / user ID):

{
  "user": "admin",
  "role": "admin"
}

3️⃣ Sign with:

HMAC secret = PUBLIC KEY

🚩 Strong Signals You Found a Real Bug

Look for:

  • Token accepted after alg change
  • No signature validation errors
  • Access to protected endpoints
  • Role escalation works
  • API responses look normal

If the app doesn't complain — that's bad for them.

🧨 Turning This into a P1 / P0

JWT confusion becomes critical when:

  • JWT used for primary auth
  • Roles / permissions inside token
  • Long token expiration
  • Used across multiple services

Show:

  • Forged token
  • Access without valid login
  • Privileged action success

That's full trust collapse.

📝 How to Report This (Report-Ready)

Title

JWT Algorithm Confusion Allows Authentication Bypass

Impact

An attacker can forge valid JWTs by changing the signing algorithm from RS256 to HS256 and using the public key as the HMAC secret. This allows full authentication bypass and unauthorized access to protected resources.

Why This Matters

  • Breaks cryptographic trust
  • Affects all token-based auth
  • Leads to account takeover

🧠 Why Most Hunters Miss This Bug

Because:

  • JWT looks "secure"
  • Crypto scares people
  • They trust libraries blindly
  • They don't test configuration

But this is not a crypto bug. It's a logic bug.

🚀 What You Should Do After Reading This

Every time you see JWTs:

  • Decode them
  • Check the algorithm
  • Look for public keys
  • Try algorithm confusion

This one test can unlock huge impact.

🐾 Coming Next in This Series

Next post:

👉 WebSocket Authorization Bypass How real-time apps forget auth — and leak live data.

☕Support the Work (If This Helped You)

If this write-up helped you understand Web Cache Deception better — or saved you hours of trial and error — you can support my work here:

👉 Buy Me a Coffee: Abhijeet Kumawat❤️

Your support helps me keep publishing deep, practical bug bounty content with real attack flows, payloads, and reporting insights — not surface-level theory.

_ No pressure. Just appreciation❤️

None
Source: gifer.com