JWT Decoder

Decode, analyze, and manipulate JSON Web Tokens for CTF challenges and security testing

JWT Token Paste your JWT token (eyJ...)

JWT Exploitation Techniques

Change "alg" from RS256 to HS256 to trick server into using public key as HMAC secret

"alg": "none"

Modify payload claims like "admin": true or "role": "admin" to gain elevated privileges

"role": "user" → "admin"

Set algorithm to "none" to bypass signature verification in misconfigured systems

Remove signature entirely

Exploit "kid" (Key ID) parameter for SQL injection or path traversal attacks

"kid": "../../../dev/null"

Structure: JWT has 3 parts: Header.Payload.Signature (base64url encoded)
Header: Contains algorithm (alg) and token type (typ), vulnerable to tampering
Payload: Contains claims (sub, name, iat, exp), main target for exploitation
Signature: Verifies token integrity, but can be bypassed with "none" algorithm
Common Claims: sub (subject), iat (issued at), exp (expiration), aud (audience)
Testing: Try jwt_tool, john the ripper, or hashcat for cracking weak secrets