Skip to content

ikpehlivan/jwt-analyzer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

JWT Analyzer Tool Logo

JWT Analyzer Tool

A lightweight Python-based CLI tool designed to analyze JSON Web Tokens (JWT) for common security misconfigurations and weaknesses. This project demonstrates practical JWT security assessment techniques commonly encountered during web application and API penetration testing.


⚠️ Disclaimer

This tool is intended for authorized security testing and educational purposes only. Do not use this tool against systems without explicit written permission. The author assumes no responsibility for misuse.


🎯 Project Purpose

JSON Web Tokens are widely used for authentication and authorization in modern web applications and APIs. However, improper implementation may introduce serious vulnerabilities such as:

  • Algorithm confusion
  • alg=none bypass
  • Weak HMAC secrets
  • Expired or improperly validated tokens

This tool provides a structured way to analyze JWT tokens from a security perspective.


🔍 Features

1️⃣ JWT Decoding (Without Verification)

  • Decodes header and payload
  • Parses JSON safely
  • Does not validate signature at this stage
  • Useful for manual inspection

2️⃣ alg=none Detection

Detects insecure configurations where:

"alg": "none" If accepted by the backend, this may allow authentication bypass.


3️⃣ Expiration Validation

Checks:

  • exp claim presence
  • Whether the token is expired
  • Current UNIX timestamp comparison Identifies improperly validated or expired tokens.

4️⃣ Weak Secret Brute-Force (HS256 Only)

If algorithm is HS256:

  • Loads a small wordlist
  • Attempts signature validation using common weak secrets
  • Detects misconfigured HMAC signing keys

Example weak secrets:

  • secret
  • admin
  • password
  • 123456

This simulates a real-world pentesting scenario where weak signing keys are used.


⚙️ Installation

1️⃣ Clone the repository git clone https://github.com/ikpehlivan/jwt-analyzer.git cd jwt-analyzer

2️⃣ Install dependencies pip install -r requirements.txt

Python 3.10+ recommended.

🚀 Usage Analyze a Token python jwt_analyzer.py -t <JWT_TOKEN>

Specify Custom Wordlist python jwt_analyzer.py -t <JWT_TOKEN> -w wordlists/custom.txt

📄 Sample Output

{
"header": {
"alg": "HS256",
"typ": "JWT"
},

"payload": {
"sub": "1234567890",
"role": "admin",
"exp": 1700000000
   },

   "alg_none_check": {

       "vulnerable": false

   },

   "expiration_check": {

       "valid": true

   },

   "weak_secret_check": {

       "brute_force": "Weak secret found",

       "secret": "secret"

   }

}

About

A JWT analysis utility for identifying algorithm misconfigurations, expired tokens, and weak HMAC signing secrets.

Topics

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages