Security Assessment of JWKS-Based Authentication: Mitigating JWT Attack Vectors Through Penetration Testing

Ferry Andhika Pratama; Agus Hermanto; Geri Kusnanto

doi:10.52436/1.jutif.2026.7.2.5662

Authors

Ferry Andhika Pratama Informatics Engineering, Universitas 17 Agustus 1945 Surabaya, Indonesia
Agus Hermanto System and Information Technology, Universitas 17 Agustus 1945 Surabaya, Indonesia
Geri Kusnanto Informatics Engineering, Universitas 17 Agustus 1945 Surabaya, Indonesia

DOI:

https://doi.org/10.52436/1.jutif.2026.7.2.5662

Keywords:

Algorithm Confusion Attack, Authentication Security, JSON Web Token, JWKS, Penetration Testing, RFC 7517

Abstract

JSON Web Tokens (JWT) have become the de facto standard for stateless authentication in modern web applications and microservices architectures. However, improper implementation exposes systems to critical vulnerabilities including algorithm confusion attacks, signature bypass, and key injection exploits. This paper presents a comprehensive resilience analysis of JSON Web Key Set (JWKS)-based authentication mechanisms against known JWT attack vectors through a systematic penetration testing approach. We implemented and evaluated a production-grade courier management system (City Courier) featuring dynamic JWKS key rotation, RFC 7517-compliant public key distribution, and encrypted private key storage. Our penetration testing methodology systematically evaluated the system against 10 critical JWT attack vectors including algorithm confusion (CVE-2022-29217), kid parameter injection, weak secret exploitation, and signature verification bypass. Results demonstrate that proper JWKS implementation with dynamic key rotation, strict algorithm validation, and comprehensive audit logging provides robust defense against all tested attack vectors. The system successfully mitigated algorithm confusion attacks through explicit algorithm whitelisting, prevented kid injection via UUID-based key identifiers, and maintained security during key rotation events. Performance analysis shows minimal overhead (less than 50ms) for JWKS endpoint queries with aggressive caching. This research contributes practical implementation patterns for secure JWT authentication, providing both empirical evidence for JWKS-based security controls and a validated blueprint to neutralize critical vulnerabilities in modern microservices architectures.

Downloads

Download data is not yet available.

References

M. Jones, J. Bradley, and N. Sakimura, “JSON Web Token (JWT),” RFC Editor, RFC7519, May 2015. doi: 10.17487/RFC7519.

M. G. De Almeida and E. D. Canedo, “Authentication and Authorization in Microservices Architecture: A Systematic Literature Review,” Applied Sciences, vol. 12, no. 6, p. 3023, Mar. 2022, doi: 10.3390/app12063023.

M. Jones, “JSON Web Algorithms (JWA),” RFC Editor, RFC7518, May 2015. doi: 10.17487/RFC7518.

F. Baldimtsi et al., “zkLogin: Privacy-Preserving Blockchain Authentication with Existing Credentials,” in Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, in CCS ’24. Salt Lake City UT USA: Association for Computing Machinery, Dec. 2024, pp. 3182–3196. doi: 10.1145/3658644.3690356.

A. A. Simatupang, “IMPLEMENTASI RESTFUL WEB SERVICE DENGAN JSON WEB TOKEN DI PT. LESTARI ADIL MAKMUR,” Prosiding Seminar Nasional Mahasiswa Fakultas Teknologi Informasi (SENAFTI), vol. 2, no. 2, pp. 2183–2192, Oct. 2023.

National Institute of Standards And Technology, “CVE-2022-29217 Detail,” National Vulnerability Database. Accessed: Feb. 05, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-29217

G. Tsigkourakos and C. Patsakis, “QRS: A Rule-Synthesizing Neuro-Symbolic Triad for Autonomous Vulnerability Discovery,” Feb. 10, 2026, arXiv: arXiv:2602.09774. doi: 10.48550/arXiv.2602.09774.

W. Wang et al., “VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities,” Sep. 03, 2025, arXiv: arXiv:2509.03331. doi: 10.48550/arXiv.2509.03331.

National Institute of Standards And Technology, “CVE-2024-37568 Detail,” National Vulnerability Database. Accessed: Feb. 05, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-37568

K. Bhatia, S. K. Pandey, V. K. Singh, and D. N. Gupta, “Hash and Physical Unclonable Function (PUF)-Based Mutual Authentication Mechanism,” Sensors, vol. 23, no. 14, Jul. 2023, doi: 10.3390/s23146307.

R. Chandran, “Cyber Security Holes of JSON Web Token,” in Next-Gen Technologies in Computational Intelligence: Proceeding of the International Conference on Next-Gen Technologies in Computational Intelligence (NGTCA 2023), 1st ed., London: CRC Press, 2024, pp. 201–206. doi: 10.1201/9781003430452-28.

S. K. Jangam, N. Karri, and P. S. R. P. Muntala, “Advanced API Security Techniques and Service Management,” International Journal of Emerging Research in Engineering and Technology, vol. 3, no. 4, pp. 63–74, Dec. 2022, doi: 10.63282/3050-922X.IJERET-V3I4P108.

A. Fedele and C. Roner, “Dangerous games: A literature review on cybersecurity investments,” Journal of Economic Surveys, vol. 36, no. 1, pp. 157–187, 2022, doi: 10.1111/joes.12456.

P. Philippaerts, D. Preuveneers, and W. Joosen, “OAuch: Exploring Security Compliance in the OAuth 2.0 Ecosystem,” in Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, in RAID ’22. New York, NY, USA: Association for Computing Machinery, Oct. 2022, pp. 460–481. doi: 10.1145/3545948.3545955.

A. Bucko, K. Vishi, B. Krasniqi, and B. Rexha, “Enhancing JWT Authentication and Authorization in Web Applications Based on User Behavior History,” Computers, vol. 12, no. 4, Apr. 2023, doi: 10.3390/computers12040078.

M. A. Shabi and R. R. Marie, “Analyzing Privacy Implications and Security Vulnerabilities in Single Sign-On Systems: A Case Study on OpenID Connect,” International Journal of Advanced Computer Science and Applications (IJACSA), vol. 15, no. 4, Apr. 2024, doi: 10.14569/IJACSA.2024.0150465.

L. Zhang, C. Zhou, and J. Wen, “APSH-JWT: An Authentication Protocol Based on JWT with Scalability and Heterogeneity in Edge Computing,” Wireless Networks, vol. 31, no. 3, pp. 2939–2953, Mar. 2025, doi: 10.1007/s11276-025-03926-2.

P. Varalakshmi, G. B, V. S. P, D. T, and S. K, “Improvising JSON Web Token Authentication in SDN,” in 2022 International Conference on Communication, Computing and Internet of Things (IC3IoT), IEEE, Mar. 2022, pp. 1–8. doi: 10.1109/IC3IOT53935.2022.9767873.

USA and S. Ravikumar, “OAuth 1.0 vs. OAuth 2.0: An In-Depth Analysis of Token Handling, Client Authentication, and Developer Usability,” Journal of Mathematical & Computer Applications, vol. 4, no. 4, pp. 1–5, Aug. 2025, doi: 10.47363/JMCA/2025(4)212.

W. Niewolski, T. W. Nowak, M. Sepczuk, and Z. Kotulski, “Token-Based Authentication Framework for 5G MEC Mobile Networks,” Electronics, vol. 10, no. 14, p. 1724, Jul. 2021, doi: 10.3390/electronics10141724.

L. Brun, I. Hasuo, Y. Ono, and T. Sekiyama, “Automated Security Analysis for Real-World IoT Devices,” in Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy, in HASP ’23. New York, NY, USA: Association for Computing Machinery, Oct. 2023, pp. 29–37. doi: 10.1145/3623652.3623667.

A. F. Nugraha, H. Kabetta, I. K. S. Buana, and R. B. Hadiprakoso, “Performance and Security Comparison of Json Web Tokens (JWT) and Platform Agnostic Security Tokens (PASETO) on RESTful APIs,” in 2023 IEEE International Conference on Cryptography, Informatics, and Cybersecurity (ICoCICs), IEEE, Aug. 2023, pp. 15–22. doi: 10.1109/ICoCICs58778.2023.10277377.

U.-S. Potti, H.-S. Huang, H.-T. Chen, and H.-M. Sun, “Security Testing Framework for Web Applications: Benchmarking ZAP V2.12.0 and V2.13.0 by OWASP as an example,” Jan. 10, 2025, arXiv: arXiv:2501.05907. doi: 10.48550/arXiv.2501.05907.

C. Cremers, L. Garratt, S. Smyshlyaev, N. Sullivan, and C. Wood, “Randomness Improvements for Security Protocols,” RFC Editor, Request for Comments RFC 8937, Oct. 2020. doi: 10.17487/RFC8937.

Z. Wang et al., “Simple But Not Secure: An Empirical Security Analysis of Two-factor Authentication Systems,” Nov. 18, 2024, arXiv: arXiv:2411.11551. doi: 10.48550/arXiv.2411.11551.

D. Temoshok, J. Fenton, Y.-Y. Choong, N. Lefkovitz, A. Regenscheid, and J. Richer, “Digital Identity Guidelines: Authentication and Authenticator Management,” National Institute of Standards and Technology, Gaithersburg, MD, NIST SP 800-63B-4, 2024. doi: 10.6028/NIST.SP.800-63B-4.

J. Müller and J. Oupický, “Post-quantum XML and SAML Single Sign-On,” Proceedings on Privacy Enhancing Technologies, vol. 2024, no. 4, pp. 525–543, Oct. 2024, doi: 10.56553/popets-2024-0128.

S. Dalimunthe, J. Reza, and A. Marzuki, “The Model for Storing Tokens in Local Storage (Cookies) Using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in E-Learning Systems,” Journal of Applied Engineering and Technological Science (JAETS), vol. 3, no. 2, pp. 149–155, Jun. 2022, doi: 10.37385/jaets.v3i2.662.

L. Perugini and A. Vesco, “An Efficient TLS 1.3 Handshake Protocol with VC Certificate Type,” in 2025 IEEE 22nd Consumer Communications & Networking Conference (CCNC), Jan. 2025, pp. 1–9. doi: 10.1109/CCNC54725.2025.10975914.

Z. Zairina, R. B. Huwae, and A. H. Jatmika, “IMPLEMENTASI OWASP TOP 10 DALAM PENGUJIAN PENETRASI WEBSITE : MENGIDENTIFIKASI CELAH KEAMANAN DALAM SISTEM PENGELOLAAN VOTING INDONESIA,” Jurnal Teknologi Informasi, Komputer, dan Aplikasinya (JTIKA ), vol. 7, no. 1, pp. 98–108, Mar. 2025, doi: 10.29303/jtika.v7i1.456.

F. Pagano, A. Romdhana, D. Caputo, L. Verderame, and A. Merlo, “SEBASTiAn: A Static and Extensible Black-Box Application Security Testing Tool for iOS and Android Applications,” SoftwareX, vol. 23, p. 101448, Jul. 2023, doi: 10.1016/j.softx.2023.101448.

S. Rohlmann, V. Mladenov, C. Mainka, and J. Schwenk, “Breaking the Specification: PDF Certification,” in 2021 IEEE Symposium on Security and Privacy (SP), May 2021, pp. 1485–1501. doi: 10.1109/SP40001.2021.00110.

A. Folorunso, V. Mohammed, I. Wada, and B. Samuel, “The impact of ISO security standards on enhancing cybersecurity posture in organizations,” World Journal of Advanced Research and Reviews, vol. 24, no. 1, pp. 2582–2595, 2024, doi: 10.30574/wjarr.2024.24.1.3169.

H. Setiawan, N. A. Hana, and R. R. Hanaputra, “Mapping ISO 27001:2013 and COBIT 2019 Framework to STRIDE Threat Modeling Using Qualitative Descriptive Research,” Journal of Computer Engineering, Electronics and Information Technology, vol. 3, no. 2, pp. 101–110, Nov. 2024, doi: 10.17509/coelite.v3i2.73228.

Y.-C. Yang, K.-F. Lu, Y.-X. Chen, and R.-S. Tsay, “Ensuring GDPR Compliance in IoT Network With a Glass Box Security Guard System,” IEEE Transactions on Privacy, vol. 2, pp. 27–40, 2025, doi: 10.1109/TP.2025.3546854.