🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

JWT Algorithm Confusion

JWT Algorithm Confusion (Key Confusion) happens when an adversary can change the key and algorithm used for verifying the token and get unauthenticated access to the resource. Usually this vulnerability happens when the app supports both symmetric (e.g. HS256) and asymmetric (e.g. RS256) and the adversary can use asymmetric public key to generate symmetric tokens.

Remediation

  • Where possible only support either symmetric or asymmetric algorithm. Not both.
  • Enforce a preferred algorithm used for verification. Do not rely on token header.

Metadata

  • Severity: high
  • Slug: jwt-algorithm-confusion

CWEs

  • 347: Improper Verification of Cryptographic Signature

OWASP

  • A02:2021: Cryptographic Failures

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.