This lab is a small test environment designed to experiment with JSON Web Tokens and common implementation mistakes.
The environment consists of a minimal web application that issues JWTs during login and validates them when accessing protected routes. The application is intentionally simple so that the token handling logic can be observed clearly.
JWTs contain three parts:
- The header describing the algorithm.
- The payload containing claims.
- The signature verifying integrity.
The lab focuses on understanding how incorrect validation logic can introduce vulnerabilities.
One experiment involved testing algorithm confusion scenarios. For example, a server expecting an asymmetric algorithm such as RS256 may incorrectly accept tokens signed using HS256 if the verification logic is poorly implemented.
I also explored cases where the algorithm field in the header is manipulated. Older libraries historically allowed tokens with:
{"alg":"none"}When verification logic accepted this value, tokens could be forged without any signature at all.
The testbed makes it easy to generate tokens, modify headers, and observe how the validation code behaves. This helped clarify several best practices:
- Always enforce a strict algorithm whitelist.
- Separate symmetric and asymmetric key handling.
- Never trust algorithm information provided in the token itself.
JWT vulnerabilities are rarely about the format itself. Most problems come from how libraries are configured or how verification logic is implemented.