Security Toolkit

JWT Security Analyzer

Analyze, test, and validate JSON Web Tokens with decoder, checks, payloads, validator, and replay tools.

Download Source code

JWT Security Analyzer

Analyze, attack, and harden JSON Web Tokens.

Decoder and encoder

Decode tokens, inspect header, payload, and signature, evaluate claims, and sign custom tokens.

More than 50 checks

Full security analysis covering algorithms, claims, signatures, sensitive data, and RFC compliance on a 100-point scale with severity classification.

22 attack payloads

alg=none, algorithm confusion (RS256 to HS256), JWK injection, kid parameter injection, JKU and X5U hijacking, JWT smuggling, nested tokens, replay, timing attacks, and JWKS cache poisoning.

Current CVE coverage

CVE-2024-54150 (ECDSA psychic signature), CVE-2024-34273 (nJwt prototype pollution), CVE-2025-20188 (hard-coded JWT secret, CVSS 10.0), and CVE-2025-30144 (issuer bypass in fast-jwt).

Proxy with SSL/TLS interception

HTTP/HTTPS proxy on 127.0.0.1:8080 with auto-generated CA certificates, live traffic capture, and automatic JWT extraction.

Algorithms and keys

HS256, HS384, HS512, RS256, RS384, RS512, and the "none" algorithm variant. RSA key pairs and HMAC secret testing for brute force, side-by-side diff, and Base64-URL tools.

Technical specs

Depth, not speed. Traceable down to the signature.

JWT Security Analyzer inspects tokens in depth, simulates concrete attacks, and documents findings clearly for reviews and audits.

Algorithms

  • HS256, HS384, HS512 (HMAC)
  • RS256, RS384, RS512 (RSA)
  • "none" as a test case

Attack payloads (22)

  • alg=none, algorithm confusion (RS256 to HS256)
  • JWK injection, kid parameter injection
  • JKU and X5U hijacking
  • JWT smuggling, nested tokens
  • Replay, timing attacks, JWKS cache poisoning

CVE coverage 2024 to 2025

  • CVE-2024-54150 (ECDSA psychic signature)
  • CVE-2024-34273 (nJwt prototype pollution)
  • CVE-2025-20188 (hard-coded JWT secret, CVSS 10.0)
  • CVE-2025-30144 (issuer bypass in fast-jwt)

Security analysis

  • More than 50 checks per token
  • 100-point scoring scale
  • Severity levels Critical, High, Medium, Low
  • RFC compliance checks

Proxy and interception

  • HTTP/HTTPS proxy on 127.0.0.1:8080
  • SSL/TLS interception via auto-generated CA certificates
  • Live traffic capture with JWT extraction
  • Custom requests, replay simulation, and response analysis

Keys and tools

  • RSA key pairs, HMAC secret testing
  • Brute force for HMAC secrets
  • Side-by-side diff with security impact
  • Base64-URL tools