A comprehensive JWT (JSON Web Token) security testing toolkit with a user-friendly GUI. Perfect for security researchers, penetration testers, and developers who need to analyze, manipulate, and test JWT implementations.
- Parse JWT tokens and display header/payload
- Validate token structure
- Analyze standard and custom claims
- Human-readable timestamp formatting
- Create JWT tokens with custom payloads
- Support for multiple algorithms (HS256, none)
- Default payload templates
- JSON validation and formatting
- Decode JWT tokens with or without verification
- Signature validation
- Expiration and timing checks
- Detailed claims analysis
- Copy-friendly output formatting
- Common Secrets: Test against 40+ common weak secrets
- Wordlist Attack: Use custom wordlists (rockyou.txt, etc.)
- Real-time progress tracking
- Multi-threaded for performance
- Attack statistics and timing
- Auto-integration with decode functionality
- Python 3.6 or higher
- PyQt5
pip install PyQt5git clone https://github.com/CyberNilsen/CyberJWT.git
cd CyberJWTpython main.py- Paste any JWT token to analyze its structure
- View decoded header and payload
- Identify token type and algorithm
- Select signing algorithm (HS256, none)
- Enter secret key for signing
- Create custom JSON payload or use defaults
- Generate valid JWT tokens
- Paste JWT token for decoding
- Optional: Enter secret key for verification
- Configure verification options:
- β Verify signature
- β Check expiration
- View detailed claims analysis
- Method 1 - Common Secrets: Quick test against weak passwords
- Method 2 - Wordlist Attack: Use custom wordlist files
- Real-time progress with statistics
- Found secrets auto-populate decode tab
# Test for weak JWT secrets
1. Paste target JWT in brute-force tab
2. Start with "Common Secrets" attack
3. If unsuccessful, try wordlist attack with rockyou.txt
4. Found secret automatically enables token verification# Analyze suspicious JWT tokens
1. Use Parse tab to examine token structure
2. Check claims in Decode tab
3. Verify signatures if secret is known
4. Validate expiration and timing# Create test tokens for development
1. Use Encode tab with custom payloads
2. Test different algorithms and secrets
3. Generate tokens for various test scenariosCyberJWT/
βββ gui.py # Main GUI application
βββ encode.py # JWT encoding functionality
βββ decode.py # JWT decoding and parsing
βββ bruteforce.py # Brute-force attack implementation
βββ main.py # Python file to start the program
βββ README.md # This file
- HS256: HMAC using SHA-256
- none: Unsigned tokens
- Common Secrets: ~40 frequently used weak passwords
- Wordlist Support: External files (UTF-8 encoded)
- Performance: Multi-threaded with progress tracking
- Smart Validation: Pre-checks token structure
- Signature verification
- Expiration validation
- Timing attack protection
- Safe base64 URL decoding
This tool is designed for:
- β Security research and education
- β Authorized penetration testing
- β Vulnerability assessment of your own applications
- β JWT implementation testing
Important: Only use this tool on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
Contributions are welcome! Please feel free to submit a Pull Request. Areas for improvement:
- Additional JWT algorithms (RS256, ES256)
- Enhanced brute-force methods
- Import/export functionality
- Token manipulation features
- Performance optimizations
- Python 3.6+
- PyQt5
- Standard library modules (json, base64, hmac, hashlib, threading)
This project is licensed under the MIT License.
- JWT.io - JWT token debugger
- RFC 7519 - JWT specification
- OWASP JWT Security
- Currently supports only HS256 and 'none' algorithms
- Brute-force limited to symmetric key algorithms
- Large wordlists may require significant memory
- Use common secrets attack first - it's faster
- For wordlist attacks, SecLists and rockyou.txt are recommended
- Always verify found secrets in the decode tab
- Monitor attack statistics for performance optimization