A lightweight Python-based CLI tool designed to analyze JSON Web Tokens (JWT) for common security misconfigurations and weaknesses. This project demonstrates practical JWT security assessment techniques commonly encountered during web application and API penetration testing.
This tool is intended for authorized security testing and educational purposes only. Do not use this tool against systems without explicit written permission. The author assumes no responsibility for misuse.
JSON Web Tokens are widely used for authentication and authorization in modern web applications and APIs. However, improper implementation may introduce serious vulnerabilities such as:
- Algorithm confusion
alg=nonebypass- Weak HMAC secrets
- Expired or improperly validated tokens
This tool provides a structured way to analyze JWT tokens from a security perspective.
- Decodes header and payload
- Parses JSON safely
- Does not validate signature at this stage
- Useful for manual inspection
Detects insecure configurations where:
"alg": "none" If accepted by the backend, this may allow authentication bypass.
Checks:
expclaim presence- Whether the token is expired
- Current UNIX timestamp comparison Identifies improperly validated or expired tokens.
If algorithm is HS256:
- Loads a small wordlist
- Attempts signature validation using common weak secrets
- Detects misconfigured HMAC signing keys
Example weak secrets:
- secret
- admin
- password
- 123456
This simulates a real-world pentesting scenario where weak signing keys are used.
1️⃣ Clone the repository git clone https://github.com/ikpehlivan/jwt-analyzer.git cd jwt-analyzer
2️⃣ Install dependencies pip install -r requirements.txt
Python 3.10+ recommended.
🚀 Usage Analyze a Token python jwt_analyzer.py -t <JWT_TOKEN>
Specify Custom Wordlist python jwt_analyzer.py -t <JWT_TOKEN> -w wordlists/custom.txt
📄 Sample Output
{
"header": {
"alg": "HS256",
"typ": "JWT"
},
"payload": {
"sub": "1234567890",
"role": "admin",
"exp": 1700000000
},
"alg_none_check": {
"vulnerable": false
},
"expiration_check": {
"valid": true
},
"weak_secret_check": {
"brute_force": "Weak secret found",
"secret": "secret"
}
}
