Share
## https://sploitus.com/exploit?id=1327D664-205E-518C-BB93-946D3DB0DA5D
# ⚑ AVSIG

> **JWT Inspector & Security Auditor** - decode, analyze, and exploit-test JSON Web Tokens directly in your browser.
> **Zero server contact. Pure client-side. Built for hackers.**

```
         o     o              o     o__ __o     __o__       o__ __o     
                          /v     v\      |        /v     v\    
        / \                 />                v\          /v        \_\__o__    |                   \        \\          |   
   o/         \o   \o    o/       \         /     |       \         /   
  /v           v\   v\  /v         o       o      o        o       o    
 />                           __|>_          
                                                                        
                                                                        
                                                                        
```

Named after the infamous **`alg:none` (null signature)** attack - where verification simply… doesn’t exist.

---

## 🌐 LIVE DEMO

πŸ‘‰ **https://avsig.vercel.app**

Paste a JWT -> get:

* decoded structure
* claim analysis
* real-time expiry
* security audit

---

## πŸš€ FEATURES

### πŸ” Token Intelligence

* Decode **Header / Payload / Signature**
* Clean, color-coded structure view
* Handles malformed & edge-case tokens

### 🧠 Claims Inspector

* Type-aware rendering (`string`, `number`, `array`, etc.)
* Human-readable timestamps (`exp`, `iat`, `nbf`)
* Highlights abnormal values automatically

### ⏱️ Live Expiry Engine

* Real-time countdown timer
* Flags:

  * expired tokens
  * near-expiry ( infinite session           |
| `exp-far`          | 🟑 Warning  | Long-lived token -> higher impact if stolen |
| `sensitive-claims` | 🟑 Warning  | Exposed secrets in payload                 |
| `nbf-future`       | 🟑 Warning  | Token not yet valid                        |
| `kid-present`      | πŸ”΅ Info     | Potential key ID injection vector          |
| `weak-secret-hint` | πŸ”΅ Info     | Symmetric algo used (HS256/384/512)        |

---

## βš”οΈ BUILT FOR REAL-WORLD ATTACKS

NullSig doesn’t just decode - it **thinks like an attacker**.

Detects patterns behind:

* `alg:none` bypass
* JKU/X5U injection
* Algorithm confusion (RS256 β†’ HS256)
* Weak secret risks
* Privilege escalation scenarios

---

## 🧱 TECH STACK

| Layer      | Tech         |
| ---------- | ------------ |
| Framework  | Next.js 15   |
| Language   | TypeScript   |
| Styling    | Tailwind CSS |
| JWT Engine | jose         |
| UI         | shadcn/ui    |
| Deployment | Vercel       |

---

## βš™οΈ GETTING STARTED

```bash
# Clone repo
git clone https://github.com/0xekalavya/avsig.git
cd avsig

# Install deps
npm install

# Run locally
npm run dev
```

Open β†’ http://localhost:3000

---

## πŸ—οΈ PROJECT STRUCTURE

```
nullsig/
β”œβ”€β”€ app/
β”‚   β”œβ”€β”€ page.tsx
β”‚   β”œβ”€β”€ layout.tsx
β”‚   └── globals.css
β”œβ”€β”€ components/
β”‚   β”œβ”€β”€ TokenInput.tsx
β”‚   β”œβ”€β”€ StructureView.tsx
β”‚   β”œβ”€β”€ ClaimsTree.tsx
β”‚   β”œβ”€β”€ ExpiryBadge.tsx
β”‚   └── SecurityPanel.tsx
└── lib/
    └── jwt.ts
```

---

## βš™οΈ HOW IT WORKS

```
JWT Input
   β”‚
   β–Ό
inspectJWT()
   β”‚
   β”œβ”€β”€ decodeProtectedHeader()
   β”œβ”€β”€ decodeJwt()
   β”œβ”€β”€ analyzeClaims()
   β”œβ”€β”€ checkExpiry()
   └── runSecurityChecks()
   β”‚
   β–Ό
UI Components Render Results
```

---

## 🧠 ROADMAP

* [ ] Signature verification (secret / public key input)
* [ ] Attack simulation panel πŸ”₯
* [ ] JWKS fetch & validation
* [ ] Token diff viewer
* [ ] Export audit report (PDF)
* [ ] Chrome extension
* [ ] Burp Suite integration πŸ‘€

---

## 🀝 CONTRIBUTING

```bash
git checkout -b feat/your-feature
git commit -m "feat: add something cool"
git push origin feat/your-feature
```

Open a PR β€” let’s build this into a **go-to JWT hacking tool**.

---

## πŸ“œ LICENSE

MIT - use it, break it, improve it.

---

## πŸ‘¨β€πŸ’» AUTHOR

Built by **[@ekalavya](https://instagram.com/ekalavya.dev)**

> *β€œJWTs are not secure by default. They’re just encoded trust.”*