JWT Arsenal

100% client-side · No data leaves your browser

A client-side JWT exploitation toolkit for pentesters, bug bounty hunters, and CTF players. Inspect tokens, forge exploits, and understand JWT vulnerabilities - all in your browser.

Inspect a JWT CLI Cheatsheet Knowledge Base

Exploitation Techniques

7 attacks

Unverified Signature

Server accepts tokens without verifying the signature - modify any claim freely.

Algorithm None

Set alg to "none" and strip the signature - server accepts the unsigned token.

Algorithm Confusion

Server uses RS256 but accepts HS256 - sign with the public key as HMAC secret.

KID Injection

Inject path traversal or SQL into the kid header to control which key is used.

JWK Injection

Embed your own public JWK in the header - server uses it to verify your forged token.

JKU Injection

Point JKU to an attacker-controlled JWKS endpoint to supply your own signing key.

Public Key Recovery

Recover the RSA public key from two signatures, then perform algorithm confusion.

Why JWT Arsenal?

jwt.io is great for decoding, but it doesn't help you exploit.

Every JWT exploitation tool you'll find is CLI-only - jwt_tool, hashcat, or custom Python scripts. There's no browser-based UI for forging attack-specific tokens.

JWT Arsenal fills that gap. Every cryptographic operation runs in your browser using the Web Crypto API. No token, key, or payload ever leaves your machine.

For operations too heavy for the browser (brute-force, GCD-based key recovery), JWT Arsenal provides ready-to-paste CLI commands in the Cheatsheet and deep technical context in the Knowledge Base.

Start by inspecting a token

Decode headers, claims, and timestamps - then send it to any exploit page.

Open Inspector