Labs

JWT Algorithm Confusion

JKU Authentication Bypass

JWT Mutable Claims Attack

Bruteforcing JWT HMAC Keys

Course Content

Introduction

Introduction to the course

The need for JWT

The Need for JSON Web Tokens (JWTs)

The need for JWTs

JWT Standards and Utility

How JWT Works

Anantomy of a JSOn Web Token

Who uses the JWT?

Signing a JWT with HMAC

HMAC Variants of the JWT

Using Asymmetric encryption with JWT

Attacking and Defending JWTs

Introduction to JWT Attacks

Existing JWT Vulnerabilities

JWT Algorithm Confusion Attack

Lab Video: JWT Algorithm Confusion

Lab: JWT Algorithm Confusion

JKU Authentication Bypass

Lab Video: JKU Authentication Bypass

Lab: JKU Authentication Bypass

JWT Mutable Claims Attack

Lab Video: JWT Mutable Claims Attack

Lab: JWT Mutable Claims Attack

Lab Video: JWT HMAC Bruteforce

Lab: Bruteforcing JWT HMAC Keys

For any modern web application, authentication and authorization are key components of the security posture. In recent years, JSON Web Token (JWT) has become one of the leading technology standards used to secure and protect web apps of all kinds. Loved by many but hated by cryptographers, JWT is used extensively in OAuth, OIDC, Kubernetes, and other distributed web services and microservices.

In this course, we’ll be learning about JSON Web Token with a focus on attacking vulnerable JWT implementations and looking at defense strategies. We start with an introduction to JWT and why we need it. We’ll also explore the essentials of JWTs with cryptography.

Most of our time will be spent taking a deep-dive into attacking JWTs. This includes JWT algorithm confusion, authentication bypass, mutable claims attack, and HMAC brute force attacks, among others. Every single one of our lessons will be taught with the help of lab exercises to give you a hands-on look at real-world methods used to attack JSON Web Tokens.

All of AppSecEngineer’s video lessons and labs have been carefully crafted to deliver high-quality training while helping you retain as much of it as possible. All our material is designed to deliver real-world problem-solving experience. When you finish this course, you’ll be able to directly apply what you’ve learned to secure web apps with JWT.

Intermediate

3
Hours
18
Lessons
4
Cloud Labs
learning path:
Advanced Application Security

JWT Jiu-Jitsu

Ideal for
Developer
Security Engineer
Pentester
Security Architect
Security Champion
Get Started

You might also like these courses

Or explore these Learning Paths

Ready to Elevate Your Security Training?

Empower your teams with the skills they need to secure your applications and stay ahead of the curve.
Get Our Newsletter
Get Started
X
X
Copyright AppSecEngineer © 2025