JWT Attacks Toolkit

alg:none, RS256→HS256 key confusion, weak secret cracking, kid injection.

Educational / CTF Use Only - This toolkit demonstrates known JWT vulnerabilities. Only test tokens you own or have explicit authorization to test.

JWT TOKEN

Examples

Click to load a vulnerable JWT

HS256 / weak secret "secret"

RS256 / admin role (try alg:none attack)

Token with kid traversal injection

1. alg:none Attack

Strips the signature and sets alg to none. Some libraries skip signature verification when alg is none.

2. RS256 → HS256 Key Confusion

If the server uses the RSA public key as the HMAC secret when alg is changed to HS256, a forged token is accepted. Paste the RSA public key PEM below.

3. Weak Secret Cracker

Tries common JWT secrets via HMAC-SHA256. Works on HS256 tokens loaded above.

4. kid Header Injection

Modify the kid (key ID) header claim. Some servers use kid to look up the signing key - injecting a malicious value can make the server use an attacker-controlled key.