JWT Arsenal
100% client-side · No data leaves your browser
A client-side JWT exploitation toolkit for pentesters, bug bounty hunters, and CTF players. Debug tokens, forge exploits, and understand JWT vulnerabilities - all in your browser.
Exploitation Techniques
7 attacksUnverified Signature
Server accepts tokens without verifying the signature - modify any claim freely.
Algorithm None
Set alg to "none" and strip the signature - servers might accept unsigned tokens.
Algorithm Confusion
Server uses RS256 but accepts HS256 - sign with the public key as HMAC secret.
KID Injection
Inject path traversal or SQL into the kid header to control which key is used.
JWK Injection
Embed your own public JWK in the header - servers might use it to verify your forged token.
JKU Injection
Point JKU to an attacker-controlled JWKS endpoint to supply your own signing key.
Public Key Recovery
Recover the RSA public key from two signatures, then perform algorithm confusion.
Start by debugging a token
Decode headers, claims, and timestamps - then send it to any exploit page.