Master JWT Security: Test, Forge, and Exploit Tokens with jwt_tool.py

Tool Overview

jwt_tool.py is a toolkit for validating, forging, scanning, and tampering JSON Web Tokens (JWT).

Features

Check token validity

Test known vulnerabilities

(CVE-2015-2951) alg=none signature bypass

(CVE-2016-10555) RS/HS256 public key mismatch

(CVE-2018-0114) key injection

(CVE-2019-20933/CVE-2020-28637) blank password

(CVE-2020-28042) empty signature

Scan for misconfigurations or known weaknesses

Fuzz claim values to trigger unexpected behavior

Test the validity of secret/key files/public keys/JWKS keys

Identify weak keys via high‑speed dictionary attacks

Forge new token headers and payloads, creating new signatures with keys or other attack methods

Timestamp tampering

RSA and ECDSA key generation and reconstruction from JWKS files

…and more

Usage

Show help: $ python3 jwt_tool.py -h Decode a token and view claims:

$ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po

Verify a token with a public key:

$ python3 jwt_tool.py JWT_HERE -V -pk my_public.pem

Or using a JWKS file:

$ python3 jwt_tool.py JWT_HERE -V -jw my_public_jwks.json

Interactively tamper with header and payload claims:

$ python3 jwt_tool.py JWT_HERE -T