JWT Breach Simulator
Don't just decode your tokens—attack them. This tool runs client-side simulations to test your JWT for weak secrets and critical vulnerabilities.
Weak Secret Attack
Simulates a brute-force attempt using a dictionary of the top 100 most common passwords. If your signing key is "secret" or "123456", we will find it.
"None" Algo Exploit
Checks if your token header explicitly allows the `none` algorithm, a critical vulnerability that allows attackers to forge admin tokens efficiently.
PII Leak Scan
Scans your payload for sensitive data like passwords, emails, or credit card numbers that should never be stored in a client-readable JWT.
Understanding JWT Vulnerabilities
JSON Web Tokens (JWT) are the standard for modern stateless authentication. However, their self-contained nature makes them a prime target for attackers. If implemented incorrectly, a JWT can be manipulated to grant unauthorized admin access, leak PII, or allow account takeovers.
The "None" Algorithm Exploits
The JWT header specifies the signing algorithm. A critical flaw in some libraries allows attackers to set this to `none`, effectively telling the server "this token isn't signed, trust me." If the server accepts this, anyone can forge a token with `admin: true`.
Weak Signing Secrets
Many developers use default secrets like `secret123` or `yoursecretkey`. Attackers can use tools like Hashcat to brute-force millions of these secrets per second offline. Once the secret is found, they can sign their own arbitrary tokens.
Information Leaks (PII)
JWTs are just Base64 encoded, not encrypted. Anyone who intercepts the token (e.g., via local storage or insecure HTTP) can read the payload. Storing emails, user IDs, or roles in clean text exposes your user architecture to potential exploit.
Key Confusion Attacks
A more advanced attack where the attacker changes the algorithm from RS256 (Asymmetric) to HS256 (Symmetric) and uses the public key (which is public) to sign the token. If the server isn't strict, it might try to verify the HS256 signature using the public key as the secret.
Frequently Asked Questions
Is it safe to paste my production token here?
Yes. This tool runs 100% client-side. Your token never leaves your browser. However, as a best practice, you should rotate any production credential you paste into a third-party tool, or use a test token with similar structure.
How do I fix a weak secret?
Generate a cryptographically strong random string (at least 256 bits for HS256). You can use our UUID Generator or a dedicated secret management service. Never commit secrets to git.
Should I store JWTs in LocalStorage?
Generally, no. LocalStorage is vulnerable to XSS (Cross-Site Scripting). If an attacker runs JS on your domain, they can steal the token. HttpOnly cookies are recommended for storing sensitive session tokens.