Why JWT verify tampered tokens?

gamero.sa · October 31, 2018, 1:57pm

Hey,!

I’ve been doing tests with jwt.io token example and I don’t get why JWT Debugger verifies this token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

and also this one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5f

with the same secret key (“your-256-bit-secret”). I must be missing something, can anyone explain it to me?

Thanks.

john.gateley · October 31, 2018, 2:04pm

This is just a guess, but the two tokens differ ONLY in the last two bits:
0xC = 1100
0xF = 1111
I would guess these last two bits are not really part of the payload.
If we do 0x8 as the last bit (1000) the signature is invalid.
If we do D and E, the signature is also verified.
So, I’d guess these are just unused bits.

John

markd · October 31, 2018, 8:22pm

You can replace that last character with a ‘c’, ‘d’, ‘e’, or ‘f’ and it is considered valid. Anything else and it is invalid. No idea why though.

James.Morrison · November 5, 2018, 7:34pm

I wanted to reach out and let you know to please feel free to visit us again if you have any additional questions @gamero.sa! Thanks!

system · December 5, 2018, 7:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JWT.io Debugger does validate at all. Considers ANY secret as valid. How is this possible? JWT.io jwt-debugger	3	1729	September 25, 2023
Why does jwt.verify() give "invalid signature"? JWT.io	13	92722	January 22, 2019
Jwt.io debug tool problem report JWT.io	1	873	December 10, 2023
Can JWT easily be hacked by Debugger? JWT.io debugger	4	1789	April 11, 2023
Invalid Signature JWT.io jwt , invalid-signature	10	2525	June 9, 2023

Why JWT verify tampered tokens?

Related Topics