Home JWT Fuzzing

JWT Fuzzing

The goal of this tool is to create a list of fuzzing payloads for testing JWTs on web services and applications. The payloads are designed to test common JWT issues and bypasses, as well as attempt to cause server errors via invalid and missing values. This includes an option to dynamically inject every field and subfield in the JWT header and body with SQL injection payloads as well as bad and invalid types. The payloads generated are ready to put straight into a fuzzing tool, like Intruder in Burp Suite.

CVE-2022-21449 Update: Payload generation has been updated to include payloads for CVE-2022-21449 “Psychic Signatures in Java”. More information regarding a PoC can be found on this GitHub repo.

Crack HS256 JWT with Hashcat

hashcat.exe -m 16500 -a 0 -w 3 JWT_LIST WORD_LIST
  • JWT_LSIT path to file containing JWTs to crack.
  • WORD_LIST path to file containing (pass)word list (e.g. rockyou).
  • NOTE that this only works for the HS256 signing algorithm.


Be VERY careful when pasting JWT tokens into arbitrary websites! JWT’s can grant access to systems and must be treated as confidential.

ALL processing on this website is done client-side. However, this may not be case with other sites.

The value in the input field below is stored in session storage for temporary persistance (refreshes and changing pages). This is cleared when your browser/tab is closed. If you don’t want tokens stored at all, update the option below:

Insert JWT

This post is licensed under CC BY 4.0 by the author.