Injection: JWT Signature check¶

Identifier: jwt_sign_check

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

JWT signature validation vulnerabilities occur when servers accept tokens with incorrect signatures or weak secret keys, allowing attackers to forge tokens and impersonate users or escalate privileges.

How we test: We modify JWT tokens with invalid signatures and attempt to brute-force weak secret keys, then analyze responses to detect if the server accepts tokens with incorrect signatures. We test for signature validation bypasses and verify if the server properly validates token signatures and uses strong secret keys.

Execution conditions (BLST):

Runs when this sub-test is enabled and a suitable authenticated JWT exchange is found by the shared JWT baseline selection logic.
This config enables both the invalid-signature check and the JWT secret brute-force check.

References:

https://www.freecodecamp.org/news/how-to-sign-and-validate-json-web-tokens/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  jwt_sign_check:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.