W-JWT-ALG-CONFUSIONCredential Access

JWT — RS256 → HS256 Algorithm Confusion

Sign an HS256 token using the server's public RSA key as the HMAC secret — server verifies it as RS256-compatible HMAC.

§ Where this technique fits

W-JWT-ALG-CONFUSION is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

JWT RS256 → HS256 algorithm confusion → admin
Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.
step 3 / 6

§ What commonly comes next

01
Pass the Ticket
T1550.003 · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

JWT RS256 → HS256 algorithm confusion → admin

§ What commonly comes next