free security tools
← Back to tools

JWT Attacker

Test JSON Web Tokens against common vulnerability patterns. All attacks run client-side — no data is sent to any server.

Results

Paste a JWT token and click Run Attacks.

What is JWT Attacker?

Test JWT security with 5 attack classes: alg:none bypass, kid injection, secret brute-force, algorithm confusion, and key injection.

Security Guide

alg:none bypass
Reject alg:none on server side — bypasses signature verification → JWT Decoder
Secret brute-force
Use 16+ random characters and rotate regularly → Entropy Checker
Algorithm confusion
Prefer RS256/ES256 over HS256 to prevent public-key-as-HMAC-secret forgery
kid header injection
Validate and sanitize kid — it can enable path traversal or SQL injection
Token expiry
Validate exp claim and reject expired tokens — missing expiry = permanent access