exploiting-jwt-algorithm-confusion-attack

# Exploiting JWT Algorithm Confusion Attack ## When to Use - Testing APIs that use RS256 (asymmetric) JWT tokens for authentication to check for algorithm downgrade to HS256 - Assessing JWT implementations for alg:none bypass where the server skips signature verification - Evaluating JWT libraries for key confusion vulnerabilities where the public key is used as HMAC secret - Testing kid (Key ID), jku (JWK Set URL), and x5u (X.509 URL) header parameters for injection - Validating that the API server enforces a specific algorithm and does not trust the JWT header **Do not use** without written authorization. JWT exploitation can lead to authentication bypass and account takeover. ## Prerequisites - Written authorization specifying the target API and JWT-based authentication in scope - A valid JWT token from the target API (obtained through legitimate authentication) - The server's RSA public key (obtainable from JWKS endpoint, TLS certificate, or public key endpoint) - Python 3.10+ with `PyJWT`, `cryptography`, and `requests` libraries - jwt_tool for automated JWT attack testing - Burp Suite with JWT Editor extension > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1: JWT Token Analysis ```python import base64 import json import requests import hmac import hashlib import...