JWT Tokens 📜

03 Aug, 2025

Welcome

Hello and welcome, today I'm going to go through JWT tokens. If you want to follow along you can sign up at portswigger academy ! But before we begin there is an important question....

What is JWT

token

Source: Sanity.io CDN

As we can see from above, JWT contains 3 parts. There is the header, the payload and the signature. Between these 3 parts there is a full stop, and each part is encoded with base 64.

One cool thing about this token is the signature part, it can be symmetrical and asymmetrical encryption. Symmetric encryption uses one secret key to sign and verify. Whereas, asymmetric key uses a private and a public key, where you can sign with a private key and then use a public key to verify it 😍

Now let's get our hands dirty

AnyaAnyaForgerGIF

FUN ❤️

JWT authentication bypass via unverified signature

Lab: JWT authentication bypass via unverified signature

Login page of the website.
Then using the credentials that were given, I'm going to log in.

weiner:peter

password

Now, I open burpsuite to see for interesting stuffs. When intercepting with login, this part was interesting. So, I decided to send this part to the repeater to analyze. Then, I saw the tokens and decided to send it to JSON web token.

repeater

Wow, this seem cool.

jsonweb

It shows that the sub which is the subject is weiner.

Now think about it, the goal is to gain access to the admin panel. So what if we forge the sub ? We can replace weiner with administrator.

administrator

Since in the lab it is given that we have to go to the /admin panel to access. Let's change the path.

getadmin

Yeap... It worked ! We now have access to the admin panel. Because of our token. This shows that the server does not really verify the signature, giving us admin access to the panel.