Site icon API Security Blog

PYSEC-2022-259

An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user’s identities, hijack their sessions, or bypass authentication.Read More

Exit mobile version