JWT Algorithm Confusion: From Theory to Full Account Takeover

Introduction to JWT Algorithm Confusion

JSON Web Tokens (JWT) are a common standard for representing claims to be transferred between two parties. However, improper implementation of JWT validation can lead to critical security vulnerabilities, one of the most devastating being "Algorithm Confusion".

The Core Vulnerability

Algorithm confusion occurs when a server-side application accepts a JWT and uses a public key (intended for asymmetric algorithms like RS256) as a secret key for a symmetric algorithm (like HS256). An attacker can then sign a JWT using the public key and the HS256 algorithm, which the server will then validate using the same public key, erroneously treating it as a shared secret.

Exploitation Steps

1. Obtain the server's public key (often available at /.well-known/jwks.json).
2. Modify the JWT header to use "alg": "HS256".
3. Modify the JWT payload to change user identity (e.g., set "sub": "admin").
4. Sign the modified JWT using the HS256 algorithm with the public key as the secret.
5. Send the forged JWT to the application.

Real-World Impact

In our recent engagements, we've seen this vulnerability lead to full account takeover, allowing attackers to bypass authentication entirely and gain administrative access to sensitive platforms.

Prevention & Mitigation

To prevent algorithm confusion, developers should:

• Explicitly define the expected algorithm when validating tokens.
• Avoid using libraries that automatically determine the algorithm from the token header.
• Ensure that the key used for validation matches the intended algorithm type.