JWT Security Analyzer

Open Source

JWT Security Analyzer

Features Overview

JWT Decoder & Encoder: decode tokens to inspect header, payload, and signature; create and sign custom tokens with full algorithm support (HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512, none).
Security Analysis: automated vulnerability scanner with 50+ checks covering algorithm weaknesses, insecure claims, signature issues, sensitive data exposure, injection patterns, and RFC compliance — scored on a 0–100 scale.
Attack Vector Generator: 22 attack payloads including Algorithm None, Algorithm Confusion (RS256→HS256), JWK Injection, Kid Parameter Injection, JKU/X5U hijacking, JWT Smuggling, Nested JWT, Replay, Timing Attack, JWKS Cache Poisoning, plus recent CVEs (CVE-2024-54150, CVE-2024-34273, CVE-2025-20188, CVE-2025-30144).
Brute Force Tester: dictionary-based HMAC secret cracking with customizable wordlists, real-time progress tracking, speed metrics, and pause/stop controls.
Network Proxy: HTTP/HTTPS intercepting proxy with automatic JWT detection from headers, cookies, and request bodies; SSL/TLS decryption via auto-generated CA certificates; WebSocket support.
Token Validator: full signature verification with secret/key input, algorithm validation, claims verification, and expiration checks.
Replay Attack Simulator: send captured tokens multiple times with configurable delay, method, and replay count; monitors response codes and timing for vulnerability detection.
HTTP Request Tester: custom request builder (GET/POST/PUT/DELETE/PATCH) with JWT placement options (Authorization header, custom header, query parameter, body) and full response inspection.
Token Comparison: side-by-side diff of two JWT tokens highlighting header, payload, and signature differences with security impact analysis.
Key Generator: cryptographically secure HMAC secret generation (8–256 bits) and RSA key pair generation (1024–4096 bits) in PEM format.
Base64 URL Tools: RFC 4648 Base64 URL encoding and decoding.
Multi-language support (English/German) with automatic system language detection.

About Cookies

Cookies are small text files that are used by websites to make the user experience more efficient. According to the law, we may store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your consent. This means that cookies categorized as necessary are processed on the basis of Art. 6 para. 1 lit. f GDPR. All non-essential cookies, i.e. those in the categories of preferences and marketing, are processed on the basis of Art. 6 para. 1 lit. a GDPR.

There are different types of cookies on this site. Some cookies are placed by third parties that appear on our pages.

In our privacy policy, you can find out more about who we are, how you can contact us, and how we process personal data.

Please provide your consent ID and the date when you contact us regarding your consent.

Essential

Essential cookies enable basic functions and are required for the proper functioning of the website.

The list below shows all of the cookies that might be set.

ESSENTIAL_GDPR_ACCEPTED
Stores the user's cookie consent status for the current domain.
Expiry: 1 Month

ESSENTIAL_EMBEDDED
Recognizes if this website is embedded via an iFrame.
Expiry: Session

ESSENTIAL_RESOLUTION
Stores the screen resolution of the device.
Expiry: Session

PHPSESSID
Identifies the user and allows authentication to the server.
Expiry: Session

ESSENTIAL_RATEMONITOR_STATUS
Stores the Ratemonitor status.
Expiry: 1 Month

ESSENTIAL_CHILDREN_AMOUNT
Stores the amount of children for a booking request.
Expiry: 1 Month

ESSENTIAL_ADULTS_AMOUNT
Stores the amount of adults for a booking request.
Expiry: 1 Month

ESSENTIAL_START_DATE
Stores the arrival date for a booking request.
Expiry: 1 Month

ESSENTIAL_END_DATE
Stores the departure date for a booking request.
Expiry: 1 Month

JWT Security Analyzer

Open Source