Inferensys

Glossary

JWT Confusion Attack

A cryptographic attack where an adversary tricks a server into accepting a JWT signed with a different algorithm than intended, often bypassing signature verification entirely.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
CRYPTOGRAPHIC VULNERABILITY

What is JWT Confusion Attack?

A JWT Confusion Attack is a cryptographic exploit where an adversary manipulates the algorithm header of a JSON Web Token to bypass signature verification, tricking a server into accepting a maliciously crafted token as legitimate.

A JWT Confusion Attack exploits a server's failure to strictly validate the alg header parameter in a JSON Web Token. The attacker crafts a token signed with a symmetric algorithm (like HS256) but sets the header to indicate an asymmetric algorithm (like RS256). If the server blindly trusts the header, it will use the public key as the HMAC secret to verify the signature, which the attacker can compute since the public key is often known.

This vulnerability arises from algorithm confusion between symmetric and asymmetric signing. The core defense is to enforce a strict allowlist of permitted algorithms on the server side, never trusting the client-supplied alg parameter. Libraries like PyJWT mitigate this by requiring explicit algorithm specification during decoding, preventing the server from being tricked into using the wrong verification method.

CRYPTOGRAPHIC VULNERABILITY ANALYSIS

Key Characteristics of a JWT Confusion Attack

A JWT confusion attack exploits the alg header parameter to trick a verifier into interpreting a token's signature using an unintended algorithm, effectively bypassing integrity checks and enabling unauthorized token forgery.

01

Algorithm Substitution Mechanism

The core of the attack lies in manipulating the alg header claim. An attacker changes this value from an asymmetric algorithm like RS256 (RSA signature) to a symmetric one like HS256 (HMAC). The server, if misconfigured, then uses its own RSA public key as the HMAC secret to verify the signature. Since the attacker possesses the public key, they can forge a valid HMAC signature, creating a token the server trusts implicitly.

Critical
Severity (CVSS 9.8)
CWE-345
Verification Bypass
02

The 'none' Algorithm Bypass

A more direct variant involves setting the alg header to none. The JWT specification includes this option to represent an unsecured token. Vulnerable libraries that do not explicitly reject the none algorithm will skip signature verification entirely, accepting any arbitrary payload as valid. This is a configuration flaw, not a cryptographic break, and remains a common finding in penetration tests.

Trivial
Exploit Complexity
03

Key Confusion via JWK Injection

Attackers can embed a malicious JSON Web Key (JWK) directly in the token's jwk header parameter. If the server is configured to dynamically fetch keys from the token itself rather than a trusted key store, it will use the attacker-supplied public key to verify the signature. The attacker signs the token with the corresponding private key they control, achieving complete authentication bypass.

CWE-345
Insufficient Verification
04

Cross-JWT Confusion (JWT-to-JWT)

This advanced attack targets systems with multiple distinct JWT verifiers. An attacker obtains a validly signed JWT from a low-security context (e.g., a logging service) and replays it against a high-security context (e.g., an admin API). If the high-security verifier trusts the same issuer and key but fails to validate the aud (audience) claim, it accepts the token, granting unauthorized privilege escalation.

Privilege Escalation
Impact
05

Polyglot Token Exploitation

A sophisticated technique where a single token is crafted to be validly interpreted by two different parsers in conflicting ways. For example, a token might be parsed as a valid JWT by an API gateway but as a different structure by the backend service. This exploits parser differentials to bypass security controls at the boundary layer while delivering a malicious payload to the core application.

Advanced
Attack Sophistication
JWT CONFUSION ATTACKS

Frequently Asked Questions

Clear, technical answers to the most common questions about JWT algorithm confusion vulnerabilities, their exploitation, and mitigation strategies for identity architects.

A JWT confusion attack is a cryptographic exploit where an adversary forces a server to interpret a JSON Web Token using a different algorithm than the one intended by the issuer, effectively bypassing signature verification. The attack exploits a fundamental design flaw in the JWT standard: the alg header parameter, which declares the algorithm used to sign the token, is itself unsigned. An attacker can modify this header to none (indicating no signature), or switch from an asymmetric algorithm like RS256 to a symmetric one like HS256. In the latter case, the server's public RSA key is treated as an HMAC shared secret. Since the attacker often has access to the public key, they can forge a valid HMAC signature, and the server will accept the token as legitimate. This vulnerability arises when server-side JWT libraries rely solely on the alg header to select the verification method, rather than enforcing a pre-configured, fixed algorithm per key or endpoint.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.