Json Tokens (JWT) Token Checks

Akash Venky
3 min readJan 31, 2024

--

DO yu See JWT Token`s in the Request, below are the JSON Tests cases for Authentication Checks.

  1. Basic credentials: {“login”: “admin” , “password”: “admin”}
  2. Empty credentials: {“login”: “” , “password”: “”}
  3. Null values: {“login”: null, “password”: null}
  4. Credentials as numbers: {“login”: 123, “password”: 456}
  5. Credentials as booleans: {“login”: true, “password”: false}
  6. Credentials as arrays: {“login”: [“admin”], “password”: [“password”]}
  7. Credentials as objects: {“login”: {“username”: “admin” , “password”: {“password”: “password”}}}
  8. Special characters in credentials: {“login”: “@dm!n” , “password”: “p@ssw0rd#”}
  9. SQL Injection: {“login”: “admin’ — “ , “password”: “password”}
  10. HTML tags in credentials: {“login”: “admin“ , “password”: “ololo-HTML-XSS”}
  11. Unicode in credentials: {“login”: “\u0061\u0064\u006D\u0069\u006E” , “password”: “\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u 0064”}
  12. Credentials with escape characters: {“login”: “ad\\nmin” , “password”: “pa\\ssword”}
  13. Credentials with white space: {“login”: “ “ , “password”: “ “}
  14. Overlong values: {“login”: “a”*10000, “password”: “b”*10000}
  15. Malformed JSON (missing brace): {“login”: “admin” , “password”: “admin”}
  16. Malformed JSON (extra comma): {“login”: “admin” , “password”: “admin” , }
  17. Missing login key: {“password”: “admin”}
  18. Missing password key: {“login”: “admin”}
  19. Swapped key values: {“admin”: “login” , “password”: “password”}
  20. Extra keys: {“login”: “admin” , “password”: “admin” , “extra”: “extra”}
  21. Missing colon: {“login” “admin” , “password”: “password”}
  22. Invalid Boolean as credentials: {“login”: yes, “password”: no}
  23. All keys, no values: {“”: “” , “”: “”}
  24. Nested objects: {“login”: {“innerLogin”: “admin” , “password”: {“innerPassword”: “password”}}}
  25. Case sensitivity testing: {“LOGIN”: “admin” , “PASSWORD”: “password”}
  26. Login as a number, password as a string: {“login”: 1234, “password”: “password”}
  27. Login as a string, password as a number: {“login”: “admin” , “password”: 1234}
  28. Repeated keys: {“login”: “admin” , “login”: “user” , “password”: “password”}
  29. Single quotes instead of double: {‘login’: ‘admin’ , ‘password’: ‘password’}
  30. Login and password with only special characters: {“login”: “@#$%^&*” , “password”: “!@#$%^&*”}
  31. Unicode escape sequence: {“login”: “\u0041\u0044\u004D\u0049\u004E” , “password”: “\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u 0044”}
  32. Value as object instead of string: {“login”: {“$oid”: “507c7f79bcf86cd7994f6c0e”}, “password”: “password”}}
  33. Nonexistent variables as values: {“login”: undefined, “password”: undefined}
  34. Extra nested objects: {“login”: “admin” , “password”: “password” , “extra”: {“key1”: “value1” , “key2”: “value2”}}
  35. Hexadecimal values: {“login”: “0x1234” , “password”: “0x5678”}
  36. Extra symbols after valid JSON: {“login”: “admin” , “password”: “password”}@@@@@@}
  37. Only keys, without values: {“login”:, “password”:}
  38. Insertion of control characters: {“login”: “ad\u0000min” , “password”: “pass\u0000word”}
  39. Long Unicode Strings: {“login”: “\u0061”*10000, “password”: “\u0061”*10000}
  40. Newline Characters in Strings: {“login”: “ad\nmin” , “password”: “pa\nssword”}
  41. Tab Characters in Strings: {“login”: “ad\tmin” , “password”: “pa\tssword”}
  42. Test with HTML content in Strings: {“login”: “admin” , “password”: “password”}
  43. JSON Injection in Strings: {“login”: “{\”injection\”:\”value\”}” , “password”: “password”}
  44. Test with XML content in Strings: {“login”: “admin” , “password”: “password”}
  45. Combination of Number, Strings, and Special characters: {“login”: “ad123min!@” , “password”: “pa55w0rd!@”}
  46. Floating numbers as Strings: {“login”: “123.456” , “password”: “789.123”}
  47. Value as a combination of languages (Here, English and Hindi): {“login”: “adminवà¥à¤¯à¤µà¤¸à¥à¤ ¥à¤¾à¤ªà¤•” , “password”: “passwordपासवरà¥à¤¡”}
  48. Non-ASCII characters in Strings: {“login”: “∆admin∆” , “password”: “∆password∆”}
  49. Single Character Keys and Values: {“l”: “a” , “p”: “p”}
  50. Use of environment variables: {“login”: “${USER}” , “password”: “${PASS}”}

Suggestions are most welcomed,

Please write a mail to Akash.venky091@gmail.com, Also you can follow me here for more updates on Security, Ethical hacking at Akash Venky or contact me @ https://www.linkedin.com/in/akash-h-c-4a4090a7/

--

--

Akash Venky
Akash Venky

No responses yet