Oct 25, 2025

2 min read

JWT Security

Learn about JWTs, where they are used, and how they need to be secured.

Web Application Pentesting > Authentication > JWT Security

Diamond Model

Task 1

Introduction

I am ready to learn about JWTs!

No answer needed

Task 2

Token-Based Authentication

What is the common header used to transport the JWT in a request?

Authorization: Bearer

Task 3

JSON Web Tokens

HS256 is an example of what type of signing algorithm?

Symmetric

RS256 is an example of what type of signing algorithm?

Asymmetric

What is the name used for encrypted JWTs?

JWE

Task 4

Sensitive Information Disclosure

What is the flag for example 1?

THM{9cc039cc-d85f-45d1-ac3b-818c8383a560}

Task 5

Signature Validation Mistakes

What is the flag for example 2?

THM{6e32dca9-0d10-4156-a2d9-5e5c7000648a}

What is the flag for example 3?

THM{fb9341e4-5823-475f-ae50-4f9a1a4489ba}

What is the flag for example 4?

THM{e1679fef-df56-41cc-85e9-af1e0e12981b}

What is the flag for example 5?

THM{f592dfe2-ec65-4514-a135-70ba358f22c4}

Task 6

JWT Lifetimes

What is the flag for example 6?

THM{a450ae48-7226-4633-a63d-38a625368669}

Task 7

Cross-Service Relay Attacks

What is the flag for example 7?

THM{f0d34fe1-2ba1-44d4-bae7-99bd555a4128}

Task 8

Conclusion

I understand how to exploit weak JWT implementations and how to secure them!

No answer needed

Lo nuevo de angular 18

Server-side Template Injection