JWTScout is a production-ready, high-performance command-line interface (CLI) tool designed for security researchers, penetration testers, and bug bounty hunters. It provides a comprehensive suite for analyzing, auditing, and exploiting vulnerabilities in JSON Web Tokens (JWT).
- 🔍 Intelligent Analysis: Automatically decodes and audits tokens for common misconfigurations, weak algorithms, and sensitive data leakage.
- 🛡️ Algorithm Attack Suite:
- alg: none: Automated generation of unsigned tokens.
- Algorithm Confusion: RS256 to HS256 conversion attacks.
- Algorithm Downgrade: Testing resistance against weaker algorithm enforcement.
- ⚡ High-Speed HMAC Brute Forcer: Multi-threaded secret recovery with support for custom wordlists and early termination.
- 🛠️ Advanced Token Forging:
- Manipulate any claim (role, permissions, timestamps).
- Support for Integer, Boolean, and String claim values.
- Real-time re-signing with known secrets.
- 💉 Header Injection Engine: Generates payloads for
kidheader vulnerabilities (Path Traversal, SQLi, Command Injection). - 🎨 Premium UX: Beautiful, colorized, severity-based terminal reporting with clear actionable findings.
- Go 1.18 or higher.
If you have Go installed, you can install JWTScout directly:
go install -v github.com/ismailtsdln/JWTScout@latestThis will automatically download, compile, and install the JWTScout binary to your $GOPATH/bin directory.
# Clone the repository
git clone https://github.com/ismailtsdln/JWTScout.git
# Navigate to the project directory
cd JWTScout
# Build the binary
go build -o jwtscout main.go
# (Optional) Move to your path
sudo mv jwtscout /usr/local/bin/Audit a token for vulnerabilities and misconfigurations.
jwtscout analyze --token <JWT>Attempt to recover the signing secret using a wordlist.
jwtscout brute --token <JWT> --wordlist common-secrets.txt --workers 50Generate test cases for alg:none and confusion attacks.
jwtscout alg-test --token <JWT>Modify claims and re-sign a token.
jwtscout forge --token <JWT> --claim role=admin --claim admin=true --secret "mysecret123"Generate injection payloads for the kid header.
jwtscout kid-test --token <JWT>The project follows a clean, modular design focused on extensibility:
internal/parser: Robust JWT decoding and validation engine.internal/validator: Security logic and finding generators.internal/brute: Thread-safe, context-aware brute force engine.internal/forge: High-level API for token manipulation and signing.internal/attacker: Implementation of specific attack vectors.internal/reporter: Aesthetic terminal output management.
JWTScout is intended for authorized security testing and educational purposes only.
Illegal use of this tool against targets without prior written consent is strictly prohibited. The developer assumes no liability and is not responsible for any misuse or damage caused by this program. Users are expected to comply with all applicable local, state, and federal laws.
This project is licensed under the MIT License. See the LICENSE file for details.
Developed with ❤️ by Ismail Tasdelen
Empowering security professionals through better tools.