cybersecurity · beginner · ~12 min · safe pentest lab

Validate JWT structure

Structural validation of a dotted, character-restricted token.

Challenge

Your job

int jwt_is_wellformed(const char *tok);

Return 1 if tok is structurally a JWT — exactly three non-empty segments separated by ., where every segment character is base64url (A-Z a-z 0-9 - _). Otherwise 0 (including NULL).

(Decoding the header to reject alg:"none" is a separate, deeper check — this one is structure only.)

Hints

Walk the string; count dots; reject any non-base64url char.
Each of the 3 segments must be non-empty.

Why this matters

Before you ever verify a JWT's signature you must confirm its shape: exactly three base64url segments. Malformed tokens should be rejected early.

Starter code

int jwt_is_wellformed(const char *tok) {
    /* TODO */
    (void)tok;
    return 0;
}

Common mistakes

Allowing empty segments. Accepting standard base64 chars (+/=). Not requiring exactly two dots.

Edge cases to handle

Trailing dot (empty last segment). Four parts. Empty string.

Complexity

O(n).

Background lessons

Base64 and tokens — decode before you trust

Up next

Flag a Log4Shell JNDI marker

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.