Auth0 has a great write-up on common JWT attacks that is worth a look for anyone using JWT's for authorization. I've provided a summary here as a TL;DR.
JWT Headers
- Do not process a JWT body before checking the header.
- Ensure the header contains the correct
algand notalg: none. - If you are using HS256, consider switching to RS256 to avoid brute force attacks.
Encryption
- If you are using Elliptic-curve cryptography, ensure your implementation verifies that public-keys are a valid elliptic-curve point for the chosen curve and that private keys sit inside the valid range of values.
Body
- Check all provided claims:
exp,iat,aud,sub,nbfbefore trusting the key.
There were just the most interesting take-aways. I highly suggest folks read the entire article.