// tool · tokens

JWT / JOSE Attack Lab

Decode, edit and re-sign JWTs in your browser and fire off the classic authentication attacks. Keys never leave your machine — everything runs with WebCrypto, locally.

Runs 100% in your browser · no key or token ever leaves your machine

Signature
Generate key pair:

Attacks

Forged token

For authorized testing, research and education only. Do not test tokens/systems without explicit permission.

// reference

What JWT and JOSE are

A JWT (JSON Web Token) carries claims in three parts — header, payload and signature — base64url-encoded and separated by dots. The most confusing detail: a typical JWT is not encrypted, it's only signed (a JWS). Anyone can decode and read the header and payload; the signature only guarantees integrity and authenticity.

JOSE (JSON Object Signing and Encryption) is the family of specs that standardizes this: JWS (signing), JWE (encryption), JWA (algorithms) and JWK (keys). Most JWT flaws come from trusting fields the attacker controls — starting with the alg header.

The classic attack vectors

alg: none

Strips the signature (alg none/None/NONE/nOnE). Works against libraries that don't reject the none algorithm.

RS256 → HS256 confusion

Uses the RSA PUBLIC key (paste it in the public key field) as the HMAC secret: the library verifies HS256 with the public key, which is known.

kid → /dev/null

kid points to an empty file: the verification key becomes empty, so we sign HS256 with a null key.

kid SQLi

Injects SQL into kid to force the backend to return a known/controlled key from the key lookup.

jwk injection

Generates a pair in the browser, embeds the public key in the jwk header and self-signs: libraries that trust the embedded jwk accept it.

jku injection

Points the jku header to a URL you control; host the JWKS generated below and the library fetches your key.

Frequently asked questions

What is the alg:none attack on JWT?

It's when the token declares alg: none (or variants like None/NONE) and the library accepts the JWT without verifying the signature. If the backend doesn't reject the none algorithm, you can forge any payload.

How does the RS256 → HS256 algorithm confusion work?

The server expects RS256 (asymmetric signature) but the library accepts HS256. The attacker signs the token with HS256 using the RSA public key — which is known — as the HMAC secret, and verification passes.

Can I use it without Burp Suite?

Yes. The JWT Attack Lab runs 100% in the browser with WebCrypto: you decode, edit, re-sign and fire the classic attacks with no install and no proxy.

What are jwk and jku injection?

They point verification at an attacker-controlled key: jwk embeds the public key in the header itself; jku points to a URL with a JWKS you host. Libraries that trust these fields accept the self-signed token.

Are tokens or keys sent to any server?

No. Everything happens locally in the browser via WebCrypto — no token, secret or key ever leaves your machine.

Do your tokens hold up against this?

IntruderLabs runs the pentest that finds and proves authentication flaws before an attacker does — under your brand, with white-label reporting.

Talk to us →