⌘K
ENES
GitHub
playbookSecurity Playbooks~1 min readUpdated Apr 23, 2026

Break JWT Validation

Goal

Identify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens.

Assumptions

  • the app uses JWTs for auth or session-like state
  • validation logic may be inconsistent across services
  • developers may confuse token presence with valid authorization

Prerequisites

  • sample tokens from authenticated flows
  • ability to replay requests
  • basic understanding of JWT structure

Recon steps

  1. Determine where tokens are issued and consumed.
  2. Map claims that appear to influence authorization.
  3. Identify whether multiple services validate the same token differently.

Exploit / test steps

  1. Replay expired or old tokens.
  2. Remove or alter non-critical claims to observe validation strictness.
  3. Test whether audience, issuer, or scope checks appear enforced.
  4. Compare behavior across web, mobile, and API entry points.
  5. Check whether logout or privilege changes actually revoke token usefulness.

Validation clues

  • expired tokens still work
  • changed or missing claims are accepted
  • different services accept different token states
  • authorization decisions rely on weak or stale claims

Mitigation

  • validate signature, issuer, audience, expiry, and relevant claims consistently
  • separate authentication from authorization checks
  • minimize token lifetime and scope
  • design explicit revocation strategies where needed

Logging / detection

  • repeated use of expired tokens
  • token claim anomalies
  • inconsistent auth decisions across services for same subject

References

  • Foundational: OWASP Authentication Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
  • Testing / Lab: PortSwigger Web Security Academy — https://portswigger.net/web-security
  • Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/

Explore nearby notes

Security PlaybooksDetect BloodHound Collection_Playbook structure (Goal / Assumptions / Prerequisites / Detection steps / Validation clues / Mitigation / Logging / Operational safety), matching the trio... Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior.