JSON Web Token (JWT)

Question 1.    

You intercept a JWT. What's the first part of the JWT you should analyze? 

Question 2.    

What standard algorithm is indicated if the JWT header claims "alg": "HS256"?

Question 3.    

Which open-source JWT debugging tool can you use to inspect the JWT’s content easily?

Question 4.    

What kind of vulnerability can be triggered if you modify the "alg" field to "none"?

Question 5.    

If the "alg" is set to "RS256", what kind of key is used?

Question 6.    

What is the type of attack when we use a public key instead of a private key to verify signature? 

Question 7.    

What kind of tool can be used to brute-force the secret key of a HS256 JWT if you suspect a weak key?

Question 8.    

If the JWT contains a field called "isAdmin," what kind of authorization issue could you exploit if you can manipulate its value? 

Question 9.    

What is the recommended minimum length, in bits, for a secret key used with HS256 to provide adequate security? 

Question 10.    

What section of JWT should be modified in order to modify user-id or isAdmin privileges? 

Question 11.    

A vulnerability is identified where the application doesn't properly validate the aud (audience) claim in the JWT. What kind of attack is this called?

Question 12.    

What type of vulnerability may occur if the 'kid' (key ID) header is used and you can control it to point to an arbitrary file path?

Question 13.    

The JWT has an exp (expiration) claim. If the server doesn't validate this claim correctly, what kind of attack becomes possible?