A utility for inspecting, modifying, and attacking JWTs.
Supports Windows and Linux and probably also works on macOS but this has not been tested.
cargo run --release
Or download the latest release for your platform from the releases page!
- Decode JWTs and inspect the headers and claims
- Automatically try some common secrets
- Generate
alg:none
attack payloads - Easily update
iat
andexp
with various offsets - Sign and encode tokens with common algorithms
- Accept and encode invalid JSON payloads
- Alter the claims while retaining the original signature
- Signature types: HMAC-SHA, ECDSA, RSASSA-PKCS1-v1_5
- alg:none
- "Sign" the JWT with an empty signature and set the algorithm type to "None". Accepted by some implementations which trust the JWT's choice of signature algorithm. Some parsers check for "none" but don't check for e.g. "nOnE". Make sure to try with and without the trailing dot.
- Null signature
- Leave the original header intact but don't provide a signature. Make sure to try with and without the trailing dot.
- Retain original signature
- Tamper with the claims while leaving the original signature intact.
- Guess common secrets
- If the token has been signed with an HMAC then try a few common secrets. This is not a substitute for passing the token to Hashcat, but can get some easy wins.
JWT Explorer is available under the terms of either the MIT license or the Apache License (Version 2.0).
Fonts used are distributed under the terms of the Open Font License.
JWT Explorer binaries include a statically linked copy of OpenSSL which is distributed under the terms of the Apache License 2.0.
See LICENSE-APACHE, LICENSE-MIT, and fonts/*/LICENSE for details.