If there were a competition to assess the most effective technology tool of our time, applications would win hands down. Over the past two decades applications have gone through myriad transformations. In their current incarnation, applications are agile and e xperience-centric. Application programming interfaces (APIs) power these modern applications and with their prevalent use, cybercriminals’ enthusiasm for cracking them is equally growing. In F5 Labs’ 2020 Application Protection Report, we see how this architectural change is driving actualized risk. With 50% of the cases studied for API breaches and disclosures being authentication and authorization related, it is of utmost importance to analyze authentication as an attack vector.

What is JWT?

JSON Web Token (JWT) is a mechanism for authentication and is gaining popularity and experiencing greater adoption. RFC7519¹ defines JWT as a compact, URL-safe means of representing claims to be transferred between two parties. JWT can be instantiated in the form on JSON Web Signature (JWS) or JSON Web Encryption (JWE). While a JWE² represents encrypted JSON, a JWS³ represents signed JSON data. In this article, we delve into details of JWT—specifically JWS—and look at some common exploitation techniques.

Structure of JWT

JWTs are represented as three base64 URL-encoded components separated by two dots. Each consists of a header, payload, and signature, as represented in Figure 1.