JWT vulnerabilities include algorithm confusion, missing validation, token leakage, and improper key management that can lead to authentication bypass.
JSON Web Tokens (JWTs) are a compact, URL-safe method for representing claims to be transferred between two parties. JWT vulnerabilities arise from improper implementation, validation, or management of these tokens. Because JWTs are widely used for authentication and authorization in modern web applications, these vulnerabilities can have critical security implications.
Common JWT vulnerabilities include: Algorithm Confusion attacks, where an attacker changes the token's algorithm header from RS256 (asymmetric) to HS256 (symmetric) and signs it with the public key; accepting tokens with the "none" algorithm, allowing unsigned tokens; insufficient signature validation or skipping validation entirely; using weak secrets for HMAC signing; not validating claims like `exp` (expiration), `iss` (issuer), or `aud` (audience); storing tokens insecurely (localStorage in XSS-vulnerable applications); and not implementing proper token revocation.
JWTs are the primary authentication mechanism for many modern applications and APIs. A compromised JWT gives an attacker the same access as the legitimate user, including any roles or permissions encoded in the token. Unlike session-based authentication where the server can immediately invalidate a session, JWTs are stateless -- a compromised token remains valid until it expires. Algorithm confusion attacks can allow any user to forge tokens with arbitrary claims, including admin privileges. Leaked tokens stored in localStorage can be harvested through XSS vulnerabilities. Weak JWT secrets can be cracked offline using brute force tools.
Use asymmetric algorithms (RS256, ES256) rather than symmetric (HS256) for JWT signing. Explicitly specify the allowed algorithms when verifying tokens -- never let the token's header dictate the verification algorithm. Validate all relevant claims including expiration (`exp`), issuer (`iss`), audience (`aud`), and not-before (`nbf`). Use short expiration times (15 minutes for access tokens) with refresh token rotation. Store tokens in HttpOnly cookies rather than localStorage to prevent XSS-based theft. Implement token revocation using a deny list for sensitive operations. Use a strong, randomly generated secret of sufficient length (at least 256 bits for HS256). Rotate signing keys periodically and implement key rollover support.
Select your framework for a detailed guide on fixing JWT Vulnerabilities with framework-specific code examples and security checklists.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, data theft, and defacement.
SQL Injection
SQL Injection allows attackers to interfere with database queries, potentially reading, modifying, or deleting data, and in some cases executing system commands.
Cross-Site Request Forgery (CSRF)
CSRF forces authenticated users to execute unwanted actions on a web application, exploiting the trust a site has in a user's browser.
Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal implementation objects (like database IDs) and fails to verify that users are authorized to access the referenced resource.
Broken Authentication
Broken authentication encompasses weaknesses in session management, credential handling, and identity verification that allow attackers to compromise user accounts.
Security Misconfiguration
Security misconfiguration encompasses insecure default settings, open cloud storage, verbose error messages, unnecessary features, and missing security headers.
Sensitive Data Exposure
Sensitive data exposure occurs when applications fail to adequately protect sensitive information like credentials, tokens, personal data, or financial information.
Missing Rate Limiting
Missing rate limiting allows attackers to perform brute force attacks, credential stuffing, API abuse, and denial of service by making unlimited requests.
Path Traversal
Path traversal allows attackers to access files and directories stored outside the intended directory by manipulating file path references.
Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the server through vulnerable application interfaces.
Server-Side Request Forgery (SSRF)
SSRF allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services, metadata APIs, and private networks.
File Upload Vulnerabilities
Insecure file upload handling can allow attackers to upload malicious files including web shells, malware, or files that exploit server-side processing.
Insecure Deserialization
Insecure deserialization allows attackers to manipulate serialized objects to achieve remote code execution, replay attacks, injection, or privilege escalation.
Row Level Security (RLS) Bypass
RLS bypass vulnerabilities occur when database-level access policies are missing, misconfigured, or can be circumvented, exposing data across tenant boundaries.
SafeVibe runs automated penetration tests to detect JWT Vulnerabilities and 14 other vulnerability types in your application.
Start Free Scan