JWT Attack Playground
Learn how JSON Web Tokens get broken — by forging the attacks yourself and firing them at a configurable verifier. Every byte of crypto runs in your browser.
🔒 100% client-side · nothing leaves your browser · works offlineDecode & inspect
Paste any JWT. It's decoded locally — the header, payload, and claims never leave your browser.
—
—
| Claim | Value | Meaning |
|---|
Check whether the pasted token's signature is actually valid — using the algorithm from its own header. HS256 takes a secret; RS256/ES256/PS256 take the matching public key PEM.
Attack modules
Each module forges a token from the payload in step 1 (or its own inputs), explains the server-side flaw it abuses, and — for the live attacks — lets you fire it at the verifier in step 3.
alg: none — strip the signature
live
alg: none — strip the signature
The JWS spec defines an alg of none: an
unsigned token with an empty signature. If a server trusts the header, it accepts a token
anyone can mint. Naive denylists that block "none" often
miss case variants.
alg from
attacker-controlled data and skips verification when it says none.
none.
Algorithm confusion — RS256 → HS256
live
An RS256 server verifies with an RSA public key — which is, by definition, public.
If the verifier trusts the header's alg, an attacker switches it to
HS256 and signs with HMAC using the public key bytes as the
secret. The server, holding that same public key, HMAC-verifies successfully.
Two variants because the server's stored key file may or may not end in a newline — that one byte changes the HMAC. Try both against the verifier.
The same trick works with an EC (ES256) public key — the forge HMACs whatever
public-key bytes you paste, so paste an EC PUBLIC KEY PEM too.
algorithms: ['RS256'].
jwk header injection — self-signed key
live
jwk header injection — self-signed key
A JWS header may carry its own verification key in a jwk field. If
the server verifies against that embedded key instead of a key it controls, an attacker
generates their own keypair, embeds the public key in the header, and signs with the
matching private key. It verifies — because the attacker supplied both halves.
—
jwk/jku/x5c,
or restrict them to a pinned, server-side allowlist.
Weak-secret brute-force (HS256)
live
HS256 tokens are only as strong as their secret. This runs a ~10,000-entry wordlist of common secrets against the token's signature — entirely in a background thread in your browser.
Claim tampering — edit & re-sign
live
Change any claim (say "role":"admin") and re-sign with a key you
control or have cracked. If the server's key is weak/leaked, or it doesn't verify at all, the
tampered token sails through.
kid header injection
advanced
kid header injection
The kid (key ID) header tells the server which key to load. If the
server uses it unsanitised, an attacker can point it at a file whose contents they control or
can predict — e.g. path traversal to an empty/known file (kid:
"../../../../dev/null" → empty key) — or SQL-inject the key lookup to return a chosen value.
Then they sign with that known key.
kid is attacker-controlled input used
to select a secret, without validation.
Live demo: forge an HS256 token whose kid traverses to
/dev/null, signed with an empty secret — what a vulnerable
server would then read and verify against.
kid as an opaque lookup into an
allowlist of known keys; never use it as a file path or SQL parameter.
jku / x5u URL abuse
advanced
jku / x5u URL abuse jku (JWK Set URL) and x5u (X.509 cert URL)
headers tell the server where to fetch the verification key. If the server fetches from an
attacker-controlled or SSRF-reachable URL, the attacker hosts their own public key
there, signs with the matching private key, and the token verifies.
Explain-only here — a live demo would require a network fetch, which this tool deliberately
never makes. The forged header simply looks like:
{"alg":"RS256","jku":"https://attacker.example/jwks.json","kid":"1"}.
jku/x5u,
or restrict them to a strict allowlist of trusted hosts; pin your JWKS endpoint server-side.
Simulated verifier
A pretend server that verifies a token. Configure it vulnerable or secure, then fire a forged token at it. It models the common footgun: a library that picks the algorithm from the token's own header.
“Send to verifier” fills this automatically to match each attack.