JWT Security Testing: A Beginner’s Guide to Spotting and Fixing Vulnerabilities
Who this is for: Newcomers to cybersecurity who want a safe, hands-on way to understand JWTs. What you’ll build: A tiny Docker lab that shows JWT validation—so you can test valid vs invalid tokens. What you’ll learn How to recognize a JWT (including the quick “eyJ” tell) How to decode a JWT in your terminal (header & payload) The anatomy of a JWT: header, payload (claims), signature Common algorithms (HS256, RS256, ES256, EdDSA) Where JWTs show up in APIs (Bearer tokens, OIDC) Misconfigurations to look for + a safe Docker lab to try locally. Try-it-yourself: generate valid and intentionally invalid tokens to see the server’s responses 1) How to spot a JWT (fast) Shape: Three Base64URL-encoded chunks separated by dots: xxxxx.yyyyy.zzzzz // header.payload.signature The “eyJ” trick: Most JWT headers start with {" and Base64URL-encoding that begins with eyJ…. If you see a long string with two dots and it starts with eyJ, it’s likely a JWT (heuristic, not a guarantee). Where JWTs travel: Commonly in: HTTP headers → Authorization: Bearer <JWT> Cookies → a_cookie=... POST bodies → REST / GraphQL requests Quick helper: The online debugger at jwt.io can decode header/payload. Don’t paste secrets/production tokens. 2) Decode a JWT in your terminal (reading ≠ verifying) Decoding just reads JSON. It does not prove the token is valid or untampered. ...