https://github.com/sciguy16/jwt-explorer

Decode, explore, and sign JWTs
https://github.com/sciguy16/jwt-explorer

jwt jwt-token security security-tools

Last synced: 9 months ago
JSON representation

Decode, explore, and sign JWTs

• Host: GitHub
• URL: https://github.com/sciguy16/jwt-explorer
• Owner: sciguy16
• License: apache-2.0
• Created: 2021-09-24T10:09:32.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2023-03-25T01:17:57.000Z (about 3 years ago)
• Last Synced: 2025-04-04T08:45:32.265Z (about 1 year ago)
• Topics: jwt, jwt-token, security, security-tools
• Language: Rust
• Homepage:
• Size: 2.38 MB
• Stars: 11
• Watchers: 2
• Forks: 2
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • Changelog: Changelog.md
  • License: LICENSE-APACHE

Awesome Lists containing this project

README

          
# JWT Explorer

A utility for inspecting, modifying, and attacking JWTs.

Supports Windows and Linux and probably also works on macOS but this has not been tested.

![Overview of JWT Explorer](images/overview.png)

## Usage

```bash

cargo run --release

```

Or download the latest release for your platform from [the releases page](https://github.com/sciguy16/jwt-explorer/releases)!

## Features

* Decode JWTs and inspect the headers and claims

* Automatically try some common secrets

* Generate `alg:none` attack payloads

* Easily update `iat` and `exp` with various offsets

* Sign and encode tokens with common algorithms

* Accept and encode invalid JSON payloads

* Alter the claims while retaining the original signature

* Signature types: HMAC-SHA, ECDSA, RSASSA-PKCS1-v1_5

## Attacks



	
alg:none

	


		"Sign" the JWT with an empty signature and set the algorithm type to "None".

		Accepted by some implementations which trust the JWT's choice of signature algorithm.

		Some parsers check for "none" but don't check for e.g. "nOnE".

		Make sure to try with and without the trailing dot.

	

	
Null signature

	


		Leave the original header intact but don't provide a signature.

		Make sure to try with and without the trailing dot.

	

	
Retain original signature

	


		Tamper with the claims while leaving the original signature intact.

	

	
Guess common secrets

	


		If the token has been signed with an HMAC then try a few common secrets.

		This is not a substitute for passing the token to Hashcat, but can get some easy wins.

	



## License

JWT Explorer is available under the terms of either the MIT license or

the Apache License (Version 2.0).

Fonts used are distributed under the terms of the Open Font License.

JWT Explorer binaries include a statically linked copy of [OpenSSL](https://github.com/openssl/openssl) which is distributed under the terms of the Apache License 2.0.

See [LICENSE-APACHE](LICENSE-APACHE), [LICENSE-MIT](LICENSE-MIT), and

fonts/\*/LICENSE for details.