Bugs, vulnerabilities and security research. Web2, Web3, Bug Bounty
The series finale. Shor's algorithm breaks every asymmetric JWT algorithm. ML-DSA signatures at 2.4 KB don't fit in a cookie. SD-JWT for selective disclosure. Harvest Now, Decrypt Later — why migrating JWE to post-quantum cryptography is needed now.
RFC 8725 — fifteen JWT security rules from the standard's authors. For each — which attack from the series it prevents, which CVEs exist, and why ~65% of applications don't check aud. Plus three new rules from the 2026 bis update.
JWT isn't perfect — 70+ CVEs over ten years. We break down the alternatives: PASETO without the alg field, Macaroons with unique attenuation, opaque tokens with instant revocation, Google/Netflix server-side sessions. For each — what to break on a pentest.
CVE-2025-20188 (CVSS 10.0): eight characters 'notfound' in a Cisco IOS XE Lua script = root RCE on enterprise equipment. 17% of JWT CVEs in 2024-2026 are hardcoded secrets. Where to look: git history, Docker layers, JS bundles, source maps, firmware.
Leak three bits of the nonce from each ECDSA signature — and after 100 signatures you have the full private key. Minerva, TPM-FAIL, EUCLEAK: real attacks on real devices, and what's actually applicable on a web pentest right now.
Found a Reflected XSS? If the app stores JWTs in localStorage, that's not just alert(1) — it's a full takeover of every account. We cover theft from every storage type, CSP bypass via WebRTC and CSS injection, and the only defenses that actually work.
At the seams between OAuth and OIDC components, attacks emerge that don't exist in isolation: token confusion, cross-service relay, ALBeast in AWS, and DPoP bypass — with real CVEs and step-by-step pentest checks.
Which library is running on the backend determines which attacks will actually land: a ranked breakdown of the most vulnerable JWT libraries, a tier classification from recommended to dangerous, and passive fingerprinting techniques that identify the stack from the token header alone.
JWE is the encrypted side of JWT that almost nobody talks about: five parts, two encryption layers, and a full zoo of attacks - Invalid Curve on ECDH-ES, Bleichenbacher on RSA1_5, Padding Oracle on AES-CBC, PBES2 DoS with one request, and the forbidden attack on AES-GCM.
The math behind HMAC, RSA, and ECDSA from an attacker's perspective: why Sony lost the PlayStation 3 to a single repeated number, and how leaking just a few nonce bits is enough to recover a private key.
A signature of all zeros passes ECDSA verification on Java 15-18. For any message, with any key. Five lines of Python - and you're admin.
JWT contains everything for an offline attack: message and signature. Hashcat on GPU runs through 150 million HS256 per second. The secret 'secret' is cracked in 2 seconds.
The JWT header can contain a URL, and the server will go to that URL to download the key for signature verification. This isn't a bug - it's RFC 7515.
The RFC doesn't define the structure of kid. Developers use it as a file path, SQL parameter, or command argument. Each option is a separate class of vulnerability.
Take the server's public key from open access, sign a token with it - and the server accepts it. The signature exists, the signature is correct, but the token is forged.
The RFC requires every JWT library to support the none algorithm. Change one field in the header - and the server skips signature verification.
Taking a real token and dissecting it like a pathologist: header, payload, signature, Base64url, claims, edge cases.
70+ CVEs over ten years. A bug from 2015 still fires in 2026. Let's figure out why JWT stubbornly remains broken.