JWT algorithm confusion attacks: How they work and how to prevent them

Algorithm confusion represents a significant vulnerability in the use of JSON Web Tokens (JWT), arising from the JWT specification's allowance for tokens to carry metadata about verification methods. This vulnerability allows attackers to manipulate the algorithm specified in the token header, thereby bypassing authentication without needing access to private keys. Despite being recognized since 2015, these vulnerabilities persist due to subtle complexities that can mislead developers. A classic example involves an attacker changing the algorithm from RS256 to HS256, exploiting the fact that an RSA public key can be misused as an HMAC secret, leading to successful token forgery. Further issues arise with the "alg: none" attack and JWKS injection, where insufficient validation allows attackers to manipulate the verification process. Real-world cases have demonstrated these vulnerabilities in popular JWT libraries across programming ecosystems. Effective defenses include explicitly specifying acceptable algorithms, ensuring key-type and algorithm alignment, and avoiding reliance on token-provided key references. The underlying issue is a broader problem of cryptographic agility, where flexibility in algorithm choice can introduce vulnerabilities if not carefully managed. The recommendation is to pin algorithms, enforce key type agreement, and maintain updated libraries to ensure secure JWT verification.