If there were a competition to assess the most effective technology tool of our time, applications would win hands down. Over the past two decades applications have gone through myriad transformations. In their current incarnation, applications are agile and experience-centric. Application programming interfaces (APIs) power these modern applications and with their prevalent use, cybercriminals’ enthusiasm for cracking them is equally growing. In F5 Labs’ 2020 Application Protection Report, we see how this architectural change is driving actualized risk. With 50% of the cases studied for API breaches and disclosures being authentication and authorization related, it is of utmost importance to analyze authentication as an attack vector.
What is JWT?
JSON Web Token (JWT) is a mechanism for authentication and is gaining popularity and experiencing greater adoption. RFC75191 defines JWT as a compact, URL-safe means of representing claims to be transferred between two parties. JWT can be instantiated in the form on JSON Web Signature (JWS) or JSON Web Encryption (JWE). While a JWE2 represents encrypted JSON, a JWS3 represents signed JSON data. In this article, we delve into details of JWT—specifically JWS—and look at some common exploitation techniques.
Structure of JWT
JWTs are represented as three base64 URL-encoded components separated by two dots. Each consists of a header, payload, and signature, as represented in Figure 1.

Decoding the JWT
Running a base64 decode operation on the header and payload yields the constituents. A quick look reveals that the header field identifies the algorithm used to generate a signature, and the payload consists of the claims and signature used to validate the token (see Figure 2). JWTs support both symmetric HMAC (hashed message authentication code—a shared secret) and asymmetric signatures (a public-private key pair).