A hands-on playground for learning JWT vulnerabilities.
Break things. Understand why. Do better.
Real exploits on real - broken - authentication code.
Each lab is a self-contained Docker app that teaches one JWT attack vector end-to-end: read the vuln, run the exploit, get the flag.
| Name | Vulnerability | Difficulty |
|---|---|---|
| Blind Trust | Unverified JWT Signature | 🟢 Easy |
| Voiding The Rules | alg: none Bypass |
🟢 Easy |
| Secrets Under The Rug | Weak HMAC Secret | 🟡 Medium |
| Chameleon Hashes | RS256 -> HS256 Confusion | 🟠 Hard |
| Wrong Turn | kid Header Path Traversal |
🟠 Hard |
| Trojan Keys | JWK Header Injection | 🔴 Expert |
| Puppet Master | JKU Header Injection | 🔴 Expert |
| Shadow Key | Algorithm Confusion + Public Key Recovery | 🔴 Expert |
cd <lab-folder>
docker build -t <lab-name> .
docker run -p 3000:3000 <lab-name>
# open http://localhost:3000Each lab's README has specific instructions, hints, and a full solution walkthrough.
- Docker
- A browser
- Some curiosity
Work through the labs in order - each one builds on the previous:
- Blind Trust - JWT signatures are never verified; modify any claim you like
- Voiding The Rules - Set
algtononeand strip the signature entirely - Secrets Under The Rug - Crack a weak HMAC secret offline, forge an admin token
- Chameleon Hashes - Confuse an RS256 server into accepting HS256 signed with the public key
- Wrong Turn - Traverse the filesystem via
kid, sign with an empty key - Trojan Keys - Embed your own public key in the token header, bypass the keystore
- Puppet Master - Point
jkuat your own JWKS server, sign with your own key - Shadow Key - Recover the hidden RSA public key from two signatures (sig2n), then forge
PRs welcome. See CONTRIBUTORS.md for guidelines.