While testing a single-page application that relies on JSON Web Tokens (JWT) for authentication, you decode a token issued after successful login and notice the header reads {"alg":"HS256"}. When you intentionally modify it to {"alg":"none"} and strip the signature, the server still accepts the token. Which attack are you exploiting to bypass authentication?
The behaviour demonstrates a classic JWT algorithm confusion ("none" algorithm) attack. Some poorly implemented JWT libraries trust the value supplied in the alg field and skip signature verification when it is set to "none". By removing the signature and changing the header, an attacker can create arbitrary, unsigned tokens that the server treats as valid, effectively bypassing authentication controls. Cross-site request forgery targets state-changing requests, not token validation. SQL injection focuses on manipulating database queries and does not involve JWT headers. Session fixation forces a victim to use a chosen session ID rather than removing signature verification in JWTs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the "none" algorithm in JWT?
Open an interactive chat with Bash
How does JWT algorithm confusion work?
Open an interactive chat with Bash
How can developers prevent JWT algorithm confusion attacks?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .