Share
## https://sploitus.com/exploit?id=1327D664-205E-518C-BB93-946D3DB0DA5D
# β‘ AVSIG
> **JWT Inspector & Security Auditor** - decode, analyze, and exploit-test JSON Web Tokens directly in your browser.
> **Zero server contact. Pure client-side. Built for hackers.**
```
o o o o__ __o __o__ o__ __o
/v v\ | /v v\
/ \ /> v\ /v \_\__o__ | \ \\ |
o/ \o \o o/ \ / | \ /
/v v\ v\ /v o o o o o
/> __|>_
```
Named after the infamous **`alg:none` (null signature)** attack - where verification simplyβ¦ doesnβt exist.
---
## π LIVE DEMO
π **https://avsig.vercel.app**
Paste a JWT -> get:
* decoded structure
* claim analysis
* real-time expiry
* security audit
---
## π FEATURES
### π Token Intelligence
* Decode **Header / Payload / Signature**
* Clean, color-coded structure view
* Handles malformed & edge-case tokens
### π§ Claims Inspector
* Type-aware rendering (`string`, `number`, `array`, etc.)
* Human-readable timestamps (`exp`, `iat`, `nbf`)
* Highlights abnormal values automatically
### β±οΈ Live Expiry Engine
* Real-time countdown timer
* Flags:
* expired tokens
* near-expiry ( infinite session |
| `exp-far` | π‘ Warning | Long-lived token -> higher impact if stolen |
| `sensitive-claims` | π‘ Warning | Exposed secrets in payload |
| `nbf-future` | π‘ Warning | Token not yet valid |
| `kid-present` | π΅ Info | Potential key ID injection vector |
| `weak-secret-hint` | π΅ Info | Symmetric algo used (HS256/384/512) |
---
## βοΈ BUILT FOR REAL-WORLD ATTACKS
NullSig doesnβt just decode - it **thinks like an attacker**.
Detects patterns behind:
* `alg:none` bypass
* JKU/X5U injection
* Algorithm confusion (RS256 β HS256)
* Weak secret risks
* Privilege escalation scenarios
---
## π§± TECH STACK
| Layer | Tech |
| ---------- | ------------ |
| Framework | Next.js 15 |
| Language | TypeScript |
| Styling | Tailwind CSS |
| JWT Engine | jose |
| UI | shadcn/ui |
| Deployment | Vercel |
---
## βοΈ GETTING STARTED
```bash
# Clone repo
git clone https://github.com/0xekalavya/avsig.git
cd avsig
# Install deps
npm install
# Run locally
npm run dev
```
Open β http://localhost:3000
---
## ποΈ PROJECT STRUCTURE
```
nullsig/
βββ app/
β βββ page.tsx
β βββ layout.tsx
β βββ globals.css
βββ components/
β βββ TokenInput.tsx
β βββ StructureView.tsx
β βββ ClaimsTree.tsx
β βββ ExpiryBadge.tsx
β βββ SecurityPanel.tsx
βββ lib/
βββ jwt.ts
```
---
## βοΈ HOW IT WORKS
```
JWT Input
β
βΌ
inspectJWT()
β
βββ decodeProtectedHeader()
βββ decodeJwt()
βββ analyzeClaims()
βββ checkExpiry()
βββ runSecurityChecks()
β
βΌ
UI Components Render Results
```
---
## π§ ROADMAP
* [ ] Signature verification (secret / public key input)
* [ ] Attack simulation panel π₯
* [ ] JWKS fetch & validation
* [ ] Token diff viewer
* [ ] Export audit report (PDF)
* [ ] Chrome extension
* [ ] Burp Suite integration π
---
## π€ CONTRIBUTING
```bash
git checkout -b feat/your-feature
git commit -m "feat: add something cool"
git push origin feat/your-feature
```
Open a PR β letβs build this into a **go-to JWT hacking tool**.
---
## π LICENSE
MIT - use it, break it, improve it.
---
## π¨βπ» AUTHOR
Built by **[@ekalavya](https://instagram.com/ekalavya.dev)**
> *βJWTs are not secure by default. Theyβre just encoded trust.β*