How to Automate JWT Exploitation

JSON Web Tokens are everywhere. Almost every modern web app relies on them for authentication, which means almost every pentest engagement will have JWTs in scope at some point. Knowing how to attack them efficiently — not just manually tweaking one token at a time — can be the difference between a real finding and a miss. hackkit.dev's JWT Forge covers the full attack surface and runs entirely in your browser with no setup required.

Auto Exploit

Paste your JWT into the tool and hit Auto Exploit. It generates a complete list of attack payloads in seconds.

The generated list covers a wide range of known vulnerabilities: alg:none attacks, algorithm stripping, kid parameter path traversal, Java CVE payloads, JWK misconfigurations, embedded public key attacks, and more. If you've worked through PortSwigger's JWT labs, you'll recognize most of these — almost all of them are covered here, and then some.

List of generated JWT exploit payloads with Copy All and Load buttons — Each payload targets a specific vulnerability class. The list can get long — that's a good sign.

Once the list is generated, hit Copy All to grab every payload as a wordlist. Paste it straight into Burp Suite Intruder or Caido Automate and fire a batch test against your target's authentication endpoint.

Burp Suite Intruder configured with JWT payloads from the Copy All output — The copied wordlist drops straight into Intruder or Caido Automate with no reformatting needed.

Here's what that looks like against one of the PortSwigger labs — the tool generated the payloads, Intruder ran them all, and one came back with a successful response.

PortSwigger JWT lab showing a successful bypass in Burp Intruder results — One request, one bypass. The 302 in the results column tells the whole story.

Once you've confirmed which payload works, use the Load button to pull it back into the JWT editor. From there you can tweak claims, adjust the signature, and craft the final token before sending it to your target.

Tip The Load button maps the working payload back to the decoded view, so you can see exactly which fields were changed and make any additional modifications before re-encoding.

Brute Force

If the target is signing tokens with a weak secret, the Brute Force feature can crack it directly in the browser — no external tools needed.

The wordlist is intentionally narrow, built around secrets that actually show up in tutorials, framework documentation, example configs, and copy-pasted GitHub snippets. It won't replace Hashcat on a GPU rig, but that's not the point. The point is that a surprising number of production apps are running with secrets like secret, your-256-bit-secret, or whatever was in the Stack Overflow answer the developer grabbed three years ago and never changed.

Running entirely client-side means no server, no uploads, no external dependencies — just open the page and go. It should catch the low-hanging fruit in roughly 80% of cases where a developer used a placeholder or default value and left it in place.

JWT

Open JWT Forge decode · forge · exploit — runs in your browser

→