Modern access control lives and dies on top of JSON-based tokens. When you inspect an OAuth access token, an OpenID Connect ID token, or a signed API session, you are usually looking at a JSON Web Signature (JWS) structure. Search engines will send many people to “json web signature decode” tools that seem to magically turn opaque strings into readable JSON.
For offensive and defensive security engineers, that is only the first step. Decoding a JWS tells you what the token claims; it does not tell you whether those claims are trustworthy, whether the signature is correctly enforced, or whether the implementation is already in a CVE database.
This article walks through what actually happens when you perform json web signature decode, how real-world vulnerabilities emerged from subtle mistakes around JWS verification, and how to build a repeatable workflow that fits into an automated, AI-augmented pentest pipeline.
What a JSON Web Signature really is
According to the JWS specification, a JSON Web Signature represents arbitrary content protected by either a digital signature or a MAC, using JSON-based structures. It provides integrity and authenticity for a sequence of bytes, independent of what those bytes represent. (IETF Datatracker)
In practice, most of the time that sequence of bytes is a JSON object of claims — which is what we call a JSON Web Token (JWT). JWS itself is defined in [RFC 7515], while JWT is in a sibling standard focused on how those claims are structured and interpreted. (Medium)
The familiar compact form looks like this:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0Iiwic2NvcGUiOlsicmVhZCIsIndyaXRlIl0sImV4cCI6MTczNDkxMjAwMH0.
ODU5Y...signature-bytes-here...
Conceptually, it is three Base64URL-encoded parts joined by dots:
| Part | Name | Description |
|---|---|---|
| 1st chunk | Header | JSON describing the algorithm, key hints (kid, jwk, x5u), token type |
| 2nd chunk | Payload | Claims: subject, scopes, issuer, expiry, etc. |
| 3rd chunk | Signature | Output of signing base64url(header) + "." + base64url(payload) |
A json web signature decode operation, whether performed by an online tool or in your own scripts, only reverses the Base64URL encoding of the first two parts and pretty-prints the JSON. It does not prove the signature is valid unless the tool explicitly performs verification with a known key and a constrained algorithm set. (developer.pingidentity.com)
How json web signature decode tools actually work
Most JWT / JWS decoders — such as the common developer tools used in browsers or web-based playgrounds — implement the same minimal pipeline:
- Split on dots into three segments.
- Base64URL-decode the first two segments.
- Parse them as JSON for header and payload.
- If a verification key is supplied, re-compute the signature using the algorithm advertised in the header and compare against the third segment. (developer.pingidentity.com)
From a security engineer’s perspective, steps 1–3 are safe enough for offline analysis; step 4 is where most vulnerabilities hide.
Minimal Python decode snippet
Here is a deliberately simple decode-only snippet in Python, useful when you are grepping through captured tokens during a pentest:
import base64
import json
def b64url_decode(data: str) -> bytes:
# JWT padding handling
padding = '=' * (-len(data) % 4)
return base64.urlsafe_b64decode(data + padding)
def decode_jws(token: str):
header_b64, payload_b64, signature_b64 = token.split('.')
header = json.loads(b64url_decode(header_b64))
payload = json.loads(b64url_decode(payload_b64))
return header, payload, signature_b64
jws = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...."
h, p, sig = decode_jws(jws)
print("Header:", h)
print("Payload:", p)
Note that this function never calls a verify routine; it is only decoding. That is often exactly what you want when triaging a new target: fast inspection with zero cryptographic assumptions.
Node.js snippet with verification
Once you move beyond decode into verification, every detail matters:
import jwt from "jsonwebtoken";
import fs from "fs";
const publicKey = fs.readFileSync("public.pem", "utf-8");
function verifyJws(token) {
// Critical: explicitly lock down supported algorithms
return jwt.verify(token, publicKey, {
algorithms: ["RS256"],
});
}
If you omit the algorithms whitelist and let the library infer the algorithm from the untrusted header, you are replaying exactly the conditions that led to multiple JWT CVEs.
Decoding is harmless, trusting decoded data is not
A pattern shows up again and again in incident reports and CVEs: developers treat decoded JWT / JWS data as if it were already verified. Multiple modern writeups of JWT security issues emphasize that Base64URL decoding is trivial and that the secrecy of a token does not come from “being hard to read.” (PortSwigger)
Three recurring classes of bugs stand out:
- The “alg” field is treated as a source of truth. If your verification code pulls the algorithm to use from the header — which is user-controlled — you are inviting algorithm confusion attacks.
- The
nonealgorithm is accidentally accepted. The JWT standard historically required support for"none"as an algorithm meaning “no integrity protection”. Auth0’s classic analysis showed how several libraries naively honored this choice, allowing unsigned tokens to pass checks. (Auth0) - Key hints (
kid, embeddedjwk,x5u) are not validated. Both the JWS RFC and testing guides highlight that allowing the token to choose its own verification key without strict whitelisting lets attackers smuggle arbitrary public keys or force key lookups in attacker-controlled locations. (PortSwigger)
In other words, json web signature decode gives you observability. It does not give you trust. That distinction is what separates a safe debugging setup from a remote code execution headline.
When decoding meets CVEs: concrete JWS failure modes
To understand how badly things can go wrong when decode and verify are conflated, it is worth looking at a few CVEs that revolve around JWS verification logic.
CVE-2015-9235 – HS/RS key confusion in jsonwebtoken
In the Node.js jsonwebtoken module before version 4.2.2, a design error made it possible to bypass signature verification by switching from an asymmetric algorithm (RS256 / ES256 families) to a symmetric one (HS256). The vulnerable code path reused the same value — the RSA public key — as the HMAC secret when the attacker changed the alg header to HS256. (nvd.nist.gov)
From the attacker’s viewpoint, the workflow is straightforward:
- Decode the original token and inspect the header.
- Extract the server’s public key (for example, from a JWK endpoint or certificate).
- Forge a new token with an HS256 header, using the public key as an HMAC secret.
- Present the forged token; the server mistakenly treats it as valid.
Here, decode gave the attacker the raw material (header, algorithm, key locations); the verification logic did the rest.
CVE-2018-1000531 – accepting the none algorithm
This vulnerability tracked cases where libraries accepted tokens signed with the none algorithm, effectively treating them as valid despite lacking any signature. The exploit pattern is almost comically simple: change "alg": "RS256" to "alg": "none", remove the signature part, and see if the target API accepts the token. (0xn3va.gitbook.io)
CVE-2023-48238 – algorithm confusion in json-web-token
The json-web-token library for JavaScript was found vulnerable to another algorithm confusion attack. The core issue: the algorithm used for verification was taken directly from the token header, which at that point was untrusted. That allowed attackers to pick a more convenient algorithm than the one the server operator thought they were enforcing. (nvd.nist.gov)
CVE-2024-54150 – confusion in a C JWT implementation
More recently, the cjwt C library suffered a critical algorithm confusion flaw, now tracked as CVE-2024-54150. A code review revealed that the implementation did not properly distinguish HMAC-based algorithms from RSA / EC ones when verifying tokens, again opening the door for key confusion. (nvd.nist.gov)
These cases are not historical curiosities; they show that even in 2023–2024, subtle mistakes in the verify path of JWS remain an active source of serious vulnerabilities.
To keep them straight during an assessment, many teams create a cheat-sheet like the following:
| CVE | Root cause | Attack theme | Main lesson |
|---|---|---|---|
| 2015-9235 | HS vs RS key confusion | Algorithm confusion | Enforce alg whitelist; separate keys per algorithm |
| 2018-1000531 | none accepted as signature | Null signature | Never allow none in production |
| 2023-48238 | Algorithm from untrusted JWT | Algorithm confusion | Ignore header alg; use server-side configuration only |
| 2024-54150 | No distinction HS vs RS/EC | Algorithm confusion (C) | Treat MAC vs signature as fundamentally different paths |
During a json web signature decode exercise, explicitly mapping observed tokens against this table is a quick way to spot which playbooks you should try.
A practical decode-first workflow for pentesters
When you are assessing an API or SSO system that relies on JWS, a disciplined decode-first workflow avoids both blind spots and noisy guessing.
- Capture and catalog tokens. Use your proxy or test harness to capture all tokens: Authorization headers, cookies, URL parameters. Group them by issuer and audience.
- Decode header and payload offline. Use scripts like the Python snippet above or
jwt_toolto decode only; never rely on an online service for sensitive tokens in real engagements. (GitHub) - Build a header matrix. For each token family, record
alg,kid, presence ofjku/jwk/x5u, and any custom header fields. This is where PortSwigger’s guidance on embedded JWKs and attacker-supplied keys becomes directly actionable. (PortSwigger) - Infer key management patterns. Based on header fields and well-known endpoints (
/.well-known/jwks.json), sketch out how keys are distributed and rotated. - Test for known classes of bugs.
- Try null-signature /
nonevariants if the library or stack historically supported them. - Perform HS/RS key confusion attempts where algs are not locked down.
- Probe
kidhandling for directory traversal or file inclusion behavior. - Attempt embedded JWK injection where the spec allows it but the implementation may not constrain it.
- Try null-signature /
- Then, and only then, move to full exploitation attempts. At this stage, you should know precisely what you are trying to prove, rather than just throwing payloads at a black box.
In this process, json web signature decode is the observability layer for the rest of your attack methodology.
Integrating json web signature decode into an AI-driven pentest pipeline (Penligent.ai)
Manual analysis works for a single engagement; at scale, teams need something closer to a pipeline. An AI-assisted platform like Penligent.ai can fold json web signature decode directly into its reconnaissance and exploitation phases.
In a typical setup, the platform ingests HTTP traffic from a browser sandbox or a proxy, automatically extracts candidate tokens, and performs bulk JWS decode on headers and payloads. The AI agent then clusters tokens by issuer, algorithm, and key hints, looking for anomalies such as unexpected algorithm diversity, strange kid encodings, or unusual claim combinations.
Once that baseline is built, Penligent’s attack engine can automatically run curated JWT / JWS playbooks: null-signature attempts, algorithm confusion scenarios, embedded JWK or jku abuse, and known CVE-inspired probes. Instead of leaving these checks to a human’s memory, the system treats them as repeatable test cases that run on every target, feeding results back into an evidence-first risk list and a machine-readable report.
For security engineers building an internal “AI red team” capability, wiring json web signature decode into such an automated pipeline is often one of the highest-leverage pieces of low-level plumbing.
Hardening checklist and further reading
If your day job involves issuing or verifying JWS / JWT tokens, you can treat this as a minimum bar:
- Enforce a strict, server-side list of allowed algorithms; never read
algfrom an untrusted token as policy. - Separate keys between asymmetric signatures and HMAC secrets; never reuse an RSA public key as an HMAC key.
- Permanently disable
nonein production libraries and reject any token that advertises it. - Treat all header fields (
kid,jku,jwk,x5u) as untrusted input and validate them against a pinned key set or whitelist. - Keep your JWT libraries patched; periodically review CVEs like CVE-2015-9235, CVE-2018-1000531, CVE-2023-48238, and CVE-2024-54150 to see whether your stack is affected. (Swissky’s Lab)
- Add regression tests that explicitly exercise none/algorithm-confusion scenarios.
For deeper dives, these English-language references are worth bookmarking and linking from your internal runbooks:
- The core [JSON Web Signature (JWS) RFC 7515] from the IETF. (IETF Datatracker)
- OWASP’s section on [Testing JSON Web Tokens] in the Web Security Testing Guide. (OWASP Foundation)
- PortSwigger’s Web Security Academy labs on [JWT attacks] and [algorithm confusion]. (PortSwigger)
- Tim McLean’s classic Auth0 writeup on [critical vulnerabilities in JSON Web Token libraries]. (Auth0)
- The evolving [JWT Best Current Practices] draft in the IETF OAuth working group. (IETF)
Used correctly, json web signature decode is not just a debugging convenience; it is the front door to a systematic way of understanding, attacking, and hardening the authentication fabric of your applications.
