JWT payload tampering alert
- A social security post warned that attackers can tamper with JSON Web Token payloads if servers don't re‑verify them. - The post highlighted this common pitfall and gained substantial attention on social media. - The reminder underlines the need for server‑side verification of tokens in auth systems during interviews and code reviews (x.com).
A JSON Web Token is a three-part string: a header, a payload, and a signature. The payload is just data encoded for transport, and the signature is the part a server must check before trusting any claim inside it. (rfc-editor.org) The standard behind JSON Web Tokens, RFC 7519, says the claims in a token can be digitally signed or protected with a message authentication code. If a server accepts a changed payload without checking that signature again, the token’s integrity check has failed. (rfc-editor.org) That mistake usually starts with a convenience function. In the widely used `jsonwebtoken` package for Node.js, `jwt.decode` reads a token without validating it, while `jwt.verify` checks the signature with a secret or public key. (github.com) JWTs are common in login systems, application programming interfaces, and single sign-on flows because they let servers carry identity claims like user IDs, roles, and expiration times in one compact string. The risk is that developers may treat those decoded claims as trusted before verification. (owasp.org) The Open Worldwide Application Security Project says a signed JSON Web Token can be trusted only because it is digitally signed. Its testing guide says changing any part of the token should invalidate the signature and cause the server to reject it. (cheatsheetseries.owasp.org) In practice, the classic failure mode is simple: an attacker decodes the token, changes a claim such as `role` from `user` to `admin`, re-encodes it, and sends it back. If the server only parses the payload and never verifies the signature, the forged claim can be accepted. (portswigger.net) Security training material treats that as one of the first checks in a JWT review. PentesterLab’s 2025 guide calls “signature not verified” one of the most common and dangerous implementation mistakes because JWT flaws often sit directly inside authentication and authorization paths. (pentesterlab.com) The larger point is that a JWT is not secret just because it looks scrambled. JWT.io says the signature is calculated from the header and payload, so verification is what tells a server the contents were not tampered with after issuance. (jwt.io) That is why code reviews often focus on two verbs, not one: decode for inspection, verify for trust. If the second step is missing, the token stops being proof and becomes user input with a cryptographic-looking wrapper. (github.com)
