Hacking JSON Web Tokens

At this point, we have discussed the ins and outs of JWTs. We have seen how they are generated, validated, and how their keys are managed. We have also discussed what would happen if an attacker steals our JWT. But there is one thing which we have not discussed yet: is it possible for an attacker to create a JWT (without knowing your secret key or private key) and making you believe that this is a valid token?

In other words, is it possible for an attacker to change the data within a token, and have it still be validated by our server? Unfortunately, there are some ways through which an attacker can do this. Some of these issues have been caught already and fixed and some require extra caution from the token generator.

We will discuss each of these methods below:

1) Brute Force Approach

In symmetric signing, we use a secret key to sign the token. If an attacker gets our secret key, the attacker can change the data in the token, sign it again using the secret key, and send it with the request.

If an attacker has our valid JWT then the attacker can brute force various symmetric keys and compare the signature result to the known-valid signature. If there is a match, then the attacker has discovered the symmetric key and can modify and forge JWTs at will. There are plenty of libraries for doing this.

To save ourselves from a brute force attack, we should carefully select our secret key. It should not be too easy to guess.