// tool · tokens
JWT / JOSE Attack Lab
Decode, edit and re-sign JWTs in your browser and fire off the classic authentication attacks. Keys never leave your machine — everything runs with WebCrypto, locally.
Runs 100% in your browser · no key or token ever leaves your machine
Attacks
For authorized testing, research and education only. Do not test tokens/systems without explicit permission.
// reference
What JWT and JOSE are
A JWT (JSON Web Token) carries claims in three parts — header, payload and signature — base64url-encoded and separated by dots. The most confusing detail: a typical JWT is not encrypted, it's only signed (a JWS). Anyone can decode and read the header and payload; the signature only guarantees integrity and authenticity.
JOSE (JSON Object Signing and Encryption) is the family of specs that standardizes this: JWS (signing), JWE (encryption), JWA (algorithms) and JWK (keys). Most JWT flaws come from trusting fields the attacker controls — starting with the alg header.
The classic attack vectors
alg: none
Strips the signature (alg none/None/NONE/nOnE). Works against libraries that don't reject the none algorithm.
RS256 → HS256 confusion
Uses the RSA PUBLIC key (paste it in the public key field) as the HMAC secret: the library verifies HS256 with the public key, which is known.
kid → /dev/null
kid points to an empty file: the verification key becomes empty, so we sign HS256 with a null key.
kid SQLi
Injects SQL into kid to force the backend to return a known/controlled key from the key lookup.
jwk injection
Generates a pair in the browser, embeds the public key in the jwk header and self-signs: libraries that trust the embedded jwk accept it.
jku injection
Points the jku header to a URL you control; host the JWKS generated below and the library fetches your key.
Frequently asked questions
What is the alg:none attack on JWT?
It's when the token declares alg: none (or variants like None/NONE) and the library accepts the JWT without verifying the signature. If the backend doesn't reject the none algorithm, you can forge any payload.
How does the RS256 → HS256 algorithm confusion work?
The server expects RS256 (asymmetric signature) but the library accepts HS256. The attacker signs the token with HS256 using the RSA public key — which is known — as the HMAC secret, and verification passes.
Can I use it without Burp Suite?
Yes. The JWT Attack Lab runs 100% in the browser with WebCrypto: you decode, edit, re-sign and fire the classic attacks with no install and no proxy.
What are jwk and jku injection?
They point verification at an attacker-controlled key: jwk embeds the public key in the header itself; jku points to a URL with a JWKS you host. Libraries that trust these fields accept the self-signed token.
Are tokens or keys sent to any server?
No. Everything happens locally in the browser via WebCrypto — no token, secret or key ever leaves your machine.
Do your tokens hold up against this?
IntruderLabs runs the pentest that finds and proves authentication flaws before an attacker does — under your brand, with white-label reporting.
Talk to us →