JWT Failed to verify Signature
Since server is not validating the JWT signature the attacker can tamper with the payload of JWT and access protected resources
Broken User Authentication (BUA)
How this template works
APIs Selection
The template uses API selection filters to specify the criteria for selecting the requests to be executed. In this case, it filters requests based on the response code being between 200 and 299, and also checks if the request headers contain a JWT (JSON Web Token).
Execute request
The template uses the "execute" section to define the type of request to be executed. In this case, it is a single request. It also specifies that the authentication header should be replaced with an invalid signature token, which is obtained from the "auth_context.invalid_signature_token" variable.
Validation
The template uses the "validate" section to define the criteria for validating the response. In this case, it checks if the response code is between 200 and 299, indicating a successful request.
Frequently asked questions
What is the purpose of the "JWT_INVALID_SIGNATURE" category in this test
How does the server respond when an invalid JWT signature is provided
What is the impact of exploiting the JWT_INVALID_SIGNATURE vulnerability
What is the "NO_AUTH" category in this test
What are some tags associated with this test
Can you provide some references for further reading on the JWT_INVALID_SIGNATURE vulnerability
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,
Rippling