{"id":43932783,"url":"https://github.com/dr34mhacks/jwtauditor","last_synced_at":"2026-02-18T18:00:48.962Z","repository":{"id":303582008,"uuid":"1015906062","full_name":"dr34mhacks/jwtauditor","owner":"dr34mhacks","description":"JWT Auditor – Analyze, break, and understand your tokens like a pro.","archived":false,"fork":false,"pushed_at":"2025-12-20T13:40:32.000Z","size":1561,"stargazers_count":303,"open_issues_count":0,"forks_count":49,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-12-22T17:05:24.681Z","etag":null,"topics":["jwt","jwt-auth","jwt-hacking","jwt-token","pentesting-tools"],"latest_commit_sha":null,"homepage":"https://jwtauditor.com/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dr34mhacks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-08T07:56:26.000Z","updated_at":"2025-12-20T13:40:35.000Z","dependencies_parsed_at":"2025-07-08T11:25:55.855Z","dependency_job_id":"71a11307-30aa-4831-8ba8-1d56dc47e493","html_url":"https://github.com/dr34mhacks/jwtauditor","commit_stats":null,"previous_names":["dr34mhacks/jwtauditor"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dr34mhacks/jwtauditor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dr34mhacks%2Fjwtauditor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dr34mhacks%2Fjwtauditor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dr34mhacks%2Fjwtauditor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dr34mhacks%2Fjwtauditor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dr34mhacks","download_url":"https://codeload.github.com/dr34mhacks/jwtauditor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dr34mhacks%2Fjwtauditor/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29588776,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T16:55:40.614Z","status":"ssl_error","status_checked_at":"2026-02-18T16:55:37.558Z","response_time":162,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","jwt-auth","jwt-hacking","jwt-token","pentesting-tools"],"created_at":"2026-02-07T00:18:56.457Z","updated_at":"2026-02-18T18:00:48.955Z","avatar_url":"https://github.com/dr34mhacks.png","language":"HTML","readme":"# 🔐 JWTAuditor - Advanced JWT Pentesting Platform\n\n\u003cdiv align=\"center\"\u003e\n\n![JWTAuditor Logo](https://raw.githubusercontent.com/dr34mhacks/jwtauditor/refs/heads/main/img/og-image.png)\n\n**Professional JWT security testing platform for penetration testers and cybersecurity professionals**\n\n[![Live Demo](https://img.shields.io/badge/🌐_Live_Demo-jwtauditor.com-00d4aa?style=for-the-badge)](https://jwtauditor.com)\n[![GitHub Stars](https://img.shields.io/github/stars/dr34mhacks/jwtauditor?style=for-the-badge\u0026color=yellow)](https://github.com/dr34mhacks/jwtauditor/stargazers)\n[![GitHub Issues](https://img.shields.io/github/issues/dr34mhacks/jwtauditor?style=for-the-badge\u0026color=red)](https://github.com/dr34mhacks/jwtauditor/issues)\n[![License](https://img.shields.io/badge/License-Apache%2F2.0-blue?style=for-the-badge)](LICENSE)\n\n*Decode • Analyze • Exploit • Secure*\n\n\u003c/div\u003e\n\n## 🚀 What is JWTAuditor?\n\nJWTAuditor is a comprehensive, **100% client-side** JWT (JSON Web Token) security testing platform designed by penetration testers, for penetration testers. Born out of real-world frustrations with existing tools, JWTAuditor provides everything you need to audit JWT implementations without compromising your data privacy.\n\n### ✨ Key Features\n\n- 🔍 **Advanced Security Analysis** - Automated vulnerability detection with detailed explanations\n- ⚡ **Secret Bruteforcing** - Test against common secrets and custom wordlists\n- ✏️ **JWT Editor** - Modify tokens with support for various signing algorithms\n- 🔧 **JWT Generator** - Create tokens from scratch with RSA key generation\n- 🎯 **Advanced Attack Platform** - 7 specialized attack modules for comprehensive testing\n- 📚 **Comprehensive Documentation** - Learn JWT security with our detailed guides\n- 🔒 **100% Client-Side** - Your tokens never leave your browser\n\n## 🎯 Why JWTAuditor?\n\n### The Problem We Solved\nDuring penetration testing engagements, we constantly encountered JWT tokens but struggled with:\n- Complex tools requiring server-side processing\n- Inconsistent tooling across different environments  \n- Privacy concerns with online JWT tools\n- Limited vulnerability detection capabilities\n- Poor documentation and learning resources\n\n### Our Solution\nJWTAuditor addresses all these pain points with:\n- **Privacy-First Design** - All processing happens locally in your browser\n- **Comprehensive Analysis** - Detects 15+ vulnerability types automatically\n- **Educational Value** - Each finding includes detailed explanations and remediation advice\n- **Professional Grade** - Built by experienced pentesters who understand real-world needs\n\n## 🛠️ Features Deep Dive\n\n### 🔍 Security Analyzer\n- Algorithm vulnerability detection (none, weak algorithms, confusion attacks)\n- Sensitive data exposure (PII, credentials, credit cards)\n- Missing security claims (exp, iss, aud, jti)\n- Header injection vulnerabilities (kid parameter attacks)\n- Token lifetime and replay attack analysis\n- **15+ security checks** with detailed remediation guidance\n\n### 🎯 Advanced Attack Platform\n- **None Algorithm Bypass** - Remove signature verification completely\n- **Algorithm Confusion** - Convert RS256 to HS256 with 14+ variations\n- **KID Parameter Injection** - 47+ payloads for path traversal and command injection\n- **JKU/X5U Manipulation** - Remote key injection with automatic RSA key generation\n- **JWK Header Injection** - Embed malicious public keys directly in token headers\n- **Privilege Escalation** - Systematic claim manipulation for privilege escalation\n- **Claim Spoofing** - Advanced payload generation for identity manipulation\n\n### ⚡ Secret Bruteforcer\n- Built-in JWT secrets wordlist (1000+ common secrets)\n- Custom wordlist support with file upload\n- Real-time progress tracking\n- Supports HS256, HS384, HS512 algorithms\n- Web Worker implementation for optimal performance\n\n### ✏️ JWT Editor \u0026 Generator\n- Visual JSON editor with syntax highlighting\n- Support for symmetric (HS*) and asymmetric (RS*) algorithms\n- RSA key pair generation for testing\n- Signature verification capabilities\n- Token manipulation for exploit development\n\n### 📚 Documentation Hub\n- JWT fundamentals and best practices\n- Comprehensive vulnerability guide \n- Attack technique explanations with step-by-step guides\n- Secure implementation guidelines\n- Tool-specific usage guides\n\n\n## 🚀 Quick Start\n\n### Option 1: Use Online (Recommended)\nVisit [jwtauditor.com](https://jwtauditor.com) and start testing immediately!\n\n### Option 2: Run with Docker (Recommended for Local)\n```bash\n# Clone the repository\ngit clone https://github.com/dr34mhacks/jwtauditor.git\ncd jwtauditor\n\n# Build and run with Docker Compose (easiest)\ndocker-compose up -d\n\n# Or build and run manually\ndocker build -t jwtauditor .\ndocker run -d -p 8080:80 --name jwtauditor-app jwtauditor\n\n# Open in browser\nopen http://localhost:8080\n```\n\n### Option 3: Run Locally (Development)\n```bash\n# Clone the repository\ngit clone https://github.com/dr34mhacks/jwtauditor.git\ncd jwtauditor\n\n# Serve locally (Python 3)\npython -m http.server 8000\n\n# Or with Node.js\nnpx serve .\n\n# Open in browser\nopen http://localhost:8000\n```\n\n### 🐳 Docker Features\n- **Production-ready** Nginx server with optimized configuration\n- **Security headers** and CSP policies configured\n- **Gzip compression** for better performance\n- **Health checks** for monitoring\n- **Static asset caching** for faster loading\n- **Clean container** with unnecessary files removed\n\n## 🤝 Contributing\n\nWe welcome contributions from the security community! Here's how you can help:\n\n### 🐛 Report Issues\nFound a bug or have a feature request? [Open an issue](https://github.com/dr34mhacks/jwtauditor/issues/new) and let us know!\n\n**When reporting issues, please include:**\n- Browser version and operating system\n- Steps to reproduce the issue\n- Expected vs actual behavior\n- Screenshots if applicable\n\n### 🤝 Community\nAn open-source project built by security researchers for the cybersecurity community\n\n## 📜 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## ⚖️ Legal Disclaimer\n\nJWTAuditor is intended for authorized security testing and educational purposes only. Users are responsible for ensuring they have proper authorization before testing any systems. The developers are not responsible for any misuse of this tool.\n\n## 🙏 Acknowledgments\n\n- **Security Community** - For sharing JWT vulnerabilities and attack techniques\n- **Wallarm** - For the comprehensive JWT secrets wordlist\n- **PortSwigger** - For JWT security research and documentation\n- **Open Source Contributors** - For cryptographic libraries and tools\n- **Penetration Testers Worldwide** - For feedback and real-world testing\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**⭐ Don't forget to star this repository if it helped you! ⭐**\n\n**Built with ❤️ by security professionals, for security professionals**\n\n*JWTAuditor - Because your tokens deserve better security*\n\n\u003c/div\u003e\n","funding_links":[],"categories":["Authentication \u0026 Keys"],"sub_categories":["JWT Auditor"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdr34mhacks%2Fjwtauditor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdr34mhacks%2Fjwtauditor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdr34mhacks%2Fjwtauditor/lists"}