SkillAgentSearch skills...

JWTLens

JWTLens - Burp Suite extension for automated JWT security testing. 62 checks: passive scanning, algorithm confusion, signature bypass, KID injection, weak secret brute force, and a built-in JWT Forge tab. Works automatically as you browse.

GenerateConvertImprove

Install / Use

/learn @chawdamrunal/JWTLens
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

JWTLens

Comprehensive JWT Security Scanner for Burp Suite

JWTLens is a Burp Suite extension that automatically detects and tests JSON Web Tokens (JWTs) for security vulnerabilities. It performs 56 security checks covering the complete JWT attack surface — from passive analysis of token configuration to active exploitation of signature bypasses, algorithm confusion, header injection, and more.

JWTLens is a JWT decoder and security testing tool for analyzing JSON Web Tokens. It helps detect vulnerabilities like algorithm confusion, signature bypass, and weak validation.

a-modern-vector-style-logo-banner-featur_fq0GVcNLQw-JF3kfVY4Rww__0gZEU7xRAml4RnpKeJk0w_sd

JWTLens adds two dedicated tabs in Burp Suite's top bar: JWTLens (findings dashboard) and JWT Forge (live token editor and signer). It also passively extracts secrets and keys from JavaScript files and API responses to supercharge its active attacks.

JWTLens — Burp site map with JWT findings

Why JWTLens?

Most JWT testing tools either require manual effort or only cover a handful of checks. JWTLens runs automatically in the background as you browse, catching JWT misconfigurations the moment they appear in your proxy traffic. When you want to go deeper, the active scanner tests every known JWT attack vector against the server with a single right click.

Compared to existing JWT extensions, JWTLens adds:

  • Full passive scanning (no other extension does this)
  • JWT Forge tab — a live jwt.io-style editor with signing built into Burp
  • Secret Extractor — passively finds hardcoded secrets and keys in JS/JSON/HTML responses
  • Proper JWKS parsing — fetches the real server public key for algorithm confusion attacks
  • Request + Response scanning — brute force and all actions work on JWTs found anywhere, not just in requests
  • Weak secret brute forcing with custom wordlist support (augmented by extracted secrets)
  • KID injection testing (SQL injection, command injection, LDAP injection, path traversal with 10+ paths)
  • x5u and x5c header injection
  • Claim tampering for privilege escalation
  • Smart deduplication to avoid duplicate findings
  • A built-in findings dashboard with CSV export

Key Features

JWT Forge Tab

A dedicated Burp tab that works like jwt.io but with real attack capabilities:

  • Paste any JWT — instantly decodes into editable header and payload JSON with syntax coloring
  • Algorithm selector — switch between none, HS256, HS384, HS512, RS256, RS384, RS512
  • Sign Token — re-sign the edited token with your chosen algorithm and secret/key
  • Use Discovered Secret — one-click auto-fill with secrets found by brute force or the Secret Extractor
  • Copy as cURL — generates a ready-to-paste curl command with the forged token as a Bearer header
  • Copy as Python — generates a Python requests script with the forged token
  • Send to Forge — right-click any request in Proxy/Repeater and send its JWT directly to the Forge tab
  • When brute force cracks a secret, the token and secret are automatically loaded into Forge for immediate re-signing

Secret Extractor (Passive)

Runs automatically on every JS, JSON, HTML, and text response flowing through Burp Proxy:

  • Hardcoded JWT secrets — detects assignments like JWT_SECRET = "...", "jwtSecret": "...", JWT_SECRET=value across JS, JSON, .env, and YAML patterns
  • RSA/EC private keys — detects PEM-formatted private keys exposed in responses
  • RSA public keys — extracts and stores for use in algorithm confusion attacks
  • Inline JWKS — detects {"keys":[...]} structures embedded in responses
  • JWKS URL references — finds jwks_uri, jwks_url, and similar references for the active scanner to follow
  • Base64-encoded secrets — decodes atob("...") and Buffer.from("...") patterns
  • False positive filtering — ignores template variables (${...}), common placeholder values, and generic words
  • Discovered secrets are automatically prepended to the brute force wordlist (tested first, highest priority)
  • Discovered public keys are automatically fed into the algorithm confusion attack (A07)
  • All discoveries are reported as findings in the JWTLens tab with severity ratings

Proper JWKS Parsing for Algorithm Confusion (A07)

The algorithm confusion attack (RS256 to HS256) now uses the server's actual public key instead of a generated one:

  • Phase 1 — Fetches JWKS from well-known endpoints (/.well-known/jwks.json, /jwks.json, etc.)
  • Phase 2 — Follows jwks_uri from OpenID Configuration if direct JWKS is not found
  • Phase 3 — Uses public keys discovered by the Secret Extractor from JS/response bodies
  • Phase 4 — Tests each real key in both DER and PEM encoding as the HMAC secret
  • Phase 5 — Falls back to a generated key pair only if no real key is available
  • Smart key selection — matches by the token's kid, then by use=sig, then by alg=RS*
  • Proper JWK parsing reconstructs RSAPublicKey objects from n and e Base64url values
  • This means the attack actually works against real targets where it previously would always fail

Request + Response JWT Extraction

All context menu actions now search both the request and response for JWTs:

  • Brute Force — finds and cracks JWTs from response bodies (e.g., login endpoints, config APIs)
  • Send to Forge — works with JWTs from any location
  • Decode JWT — decodes all JWTs found in both request and response, labeled with their source
  • Multi-JWT picker — when multiple JWTs are found (e.g., one in request header, one in response body), a dialog lets you choose which one to act on
  • Each JWT is labeled [Request] or [Response] so you always know where it came from

What JWTLens Covers — 56 Security Checks

Passive Checks (23 checks, no requests sent)

These run automatically on every request and response flowing through Burp Proxy.

Token Detection and Leakage

  • P01 — JWT detected in HTTP traffic (Info)
  • P02 — JWT exposed in URL query parameter (Medium)
  • P03 — JWT exposed in URL fragment (Medium)
  • P14 — JWT leaked in HTTP response body (Medium)

Cookie Security

  • P04 — JWT cookie missing HttpOnly flag (Medium)
  • P05 — JWT cookie missing Secure flag (Medium)
  • P06 — JWT cookie missing SameSite attribute (Low)

Token Lifetime

  • P07 — JWT missing expiration (exp) claim (High)
  • P08 — JWT has excessive lifetime (configurable threshold) (Low)
  • P10 — Expired JWT still being sent in requests (Info)

Claim Validation

  • P11 — Missing issuer (iss) claim (Low)
  • P12 — Missing audience (aud) claim (Low)
  • P22 — Missing not before (nbf) claim (Info)
  • P23 — Missing unique identifier (jti) claim (Info)

Sensitive Data and Structure

  • P09 — Sensitive data in JWT payload (emails, passwords, SSN, credit cards, API keys) (Medium)
  • P13 — Symmetric algorithm detected (brute force advisory) (Info)
  • P20 — Nested JWT detected inside payload (Info)

Dangerous Header Parameters

  • P15 — kid (Key ID) parameter present (Info)
  • P16 — jku (JWKS URL) parameter present (Low)
  • P17 — x5u (X.509 Certificate URL) parameter present (Low)
  • P18 — x5c (X.509 Certificate Chain) parameter present (Low)
  • P19 — jwk (Embedded JSON Web Key) parameter present (Low)
  • P21 — Weak or deprecated signing algorithm (Medium)

Secret Extraction (Passive)

  • S01 — JWT signing secret extracted from JS/JSON/HTML response (High)
  • S02 — RSA/EC private key exposed in HTTP response (High)
  • S03 — RSA public key found in HTTP response (Low)
  • S04 — Inline JWKS found in response (Low)
  • S05 — JWKS URL reference discovered in response (Info)
  • S06 — Base64-encoded secret decoded from response (High)

Active Checks (33 checks, sends modified requests)

These run during active scanning or when triggered manually through the right-click menu.

Signature Bypass

  • A01 — Algorithm None attack (all 16 case permutations of "none") (High)
  • A02 — Invalid signature accepted (signature verification not enforced) (High)
  • A03 — Signature stripping (empty signature accepted) (High)
  • A23 — Null signature bytes accepted (High)
  • A28 — Payload modification accepted without re-signing (High)

Weak Keys

  • A05 — Empty secret key accepted (HMAC with empty password) (High)
  • A06 — Weak secret brute force (200+ built-in + extracted secrets, custom wordlist support) (High)
  • A26 — Weak RSA key size detected (modulus under 2048 bits) (High)

Algorithm Attacks

  • A07 — Algorithm confusion RS256 to HS256 (proper JWKS parsing, uses server's real public key) (High)
  • A22 — Cross algorithm signing (HS384, HS512 with empty or known key) (High)
  • A25 — Algorithm confusion with forged public key (Sign2n) (High)

Header Injection

  • A08 — JWK header injection (self-signed key embedded in token) (High)
  • A09 — JKU header injection (attacker-controlled JWKS URL) (High)
  • A10 — JKU SSRF pingback (server makes outbound request to attacker URL) (Medium)
  • A11 — X5U header injection (attacker-controlled certificate URL) (High)
  • A12 — X5C header injection (self-signed certificate embedded in token) (High)

KID Injection

  • A13 — KID path traversal (10+ traversal paths including /dev/null, /etc/hostname) (High)
  • A14 — KID SQL injection (UNION SELECT, OR bypass, error-based) (High)
  • A15 — KID command injection (time-based detection with sleep payloads) (High)
  • A16 — KID LDAP injection (wildcard and filter manipulation) (High)

Token Lifetime and Claims

  • A04 — Expired JWT accepted by server (High)
  • **

chawdamrunal

View profile

View on GitHub
GitHub Stars43
CategoryDevelopment
Updated1h ago
Forks9
chawdamrunal/JWTLens

Languages

Java

Security Score

80/100

Audited on Apr 10, 2026

No findings