0Pricing
Cyber Security Academy · Lesson

Token Attacks and Hardening

Defending auth flows from abuse.

Tokens as Credentials

In modern auth, tokens are credentials. Whoever holds a valid bearer token is treated as the authenticated party until it expires or is revoked.

  • This makes token theft equivalent to credential theft.
  • Hardening focuses on limiting token lifetime, binding tokens to a holder, and enabling fast revocation.

This lesson covers attacks against OAuth/OIDC/SAML tokens and the defensive controls that counter them.

JWT Algorithm Confusion

A classic JWT attack abuses the alg header.

  • alg: none if accepted, lets an attacker forge unsigned tokens.
  • RS256 to HS256 confusion the attacker resigns a token using the public RSA key as an HMAC secret.

Defense: pin the expected algorithm server-side and never let the token dictate which verification path runs.

Vulnerable: verify(token, key)  // alg taken from header
Hardened:   verify(token, key, { algorithms: ["RS256"] })
// reject alg:none, reject HS* when RS* expected

All lessons in this course

  1. OAuth 2.0 Flows
  2. OpenID Connect (OIDC)
  3. SAML and Federation
  4. Token Attacks and Hardening
← Back to Cyber Security Academy