← Back to All Scanners
AuthenticationCritical Severity

JWT Algorithm Confusion Scanner

Detects JWT algorithm confusion attacks (RS256 to HS256).

Try This Scanner

What is JWT Algorithm Confusion?

JWT Algorithm Confusion (also called key confusion) occurs when a server uses RS256 (asymmetric) but can be tricked into accepting HS256 (symmetric). Attackers change the algorithm header to HS256 and sign the token with the public key (which is often publicly available), creating valid signatures the server accepts.

Why is This Important?

This vulnerability allows complete authentication bypass without knowing any secrets. If an attacker knows the public RSA key (often exposed in JWKS endpoints or certificates), they can forge tokens for any user. This affects many JWT implementations and has led to widespread authentication bypasses.

How It Works

1. Auth Flow Analysis

Maps authentication mechanisms including login, registration, password reset, and session management flows.

2. Security Testing

Tests for authentication bypasses, weak credentials, session flaws, and token vulnerabilities.

3. Access Verification

Validates findings by demonstrating unauthorized access or privilege escalation paths.

Key Capabilities

Comprehensive authentication security testing to protect user accounts and prevent unauthorized access.

  • Complete authentication flow analysis
  • Token and session security validation
  • Password policy and brute-force testing
  • Multi-factor authentication bypass detection
  • OAuth, SAML, and JWT security assessment

Frequently Asked Questions

How does algorithm confusion work technically?

With RS256, the server verifies using the public key. With HS256, it verifies using a shared secret. If an attacker changes the algorithm to HS256, the server may use the public key as the HMAC secret. Since the attacker knows the public key, they can sign valid tokens.

How do attackers obtain the public key?

Public keys are often exposed via /.well-known/jwks.json, /oauth/jwks, in TLS certificates, API documentation, or can be derived from two valid signatures. They're called 'public' because they're meant to be shared, but they become dangerous with algorithm confusion.

Which JWT libraries are vulnerable?

Many libraries were historically vulnerable, including older versions of jsonwebtoken (Node.js), PyJWT, ruby-jwt, and jose libraries. Most have been patched, but older applications or outdated dependencies remain at risk.

How do I prevent algorithm confusion attacks?

Always specify the expected algorithm when verifying, use separate key objects for asymmetric and symmetric operations, use allowlist-based algorithm validation, keep libraries updated, and consider libraries that prevent confusion by design (like jose in strict mode).

Related Scanners

JWT None AlgorithmCritical
Learn more →
JWT Weak SecretHigh
Learn more →
JWT Key InjectionCritical
Learn more →
JWT Expiration BypassHigh
Learn more →

Ready to secure your application?

Start testing for jwt algorithm confusion vulnerabilities today.

Get Started Free