Question 1

What are common JWT vulnerabilities?

Accepted Answer

The most common are: alg:none bypass (removing the signature), weak HMAC secrets (brute-forceable), algorithm confusion (RS256 → HS256 with public key as secret), missing expiry validation, and accepting tokens without verifying issuer or audience claims.

Question 2

How do I secure JWTs?

Accepted Answer

Whitelist allowed algorithms server-side, use strong secrets (32+ bytes), always validate exp/iss/aud claims, keep token lifetime short (15 minutes for access tokens), use refresh token rotation, and store tokens in HttpOnly cookies rather than localStorage.

JWT Heist

How to play

Frequently Asked Questions