Skip to content
JWT Support for Burp
Branch: master
Clone or download
#12 Compare This branch is 4 commits ahead, 3 commits behind mvetsch:master.
Latest commit 5500f4e Jul 10, 2019


JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.



Screenshot - Intercept View

Screenshot - Decode View

Screenshot - Suite Tab View


The following url contains links to four pages which simulate a JWT being sent via XHR or as cookie.

Building your own version (with Eclipse)

  1. Clone repository and create new Eclipse Java Project
  2. Rightclick -> Configure -> Convert to Maven Project (downloading all required libraries)
  3. Open Burp -> Extender -> APIs -> Save interface files -> Copy all files to JWT4B\src\burp
  4. Export runnable fat JAR including libraries
  5. Load the JAR in Burp through the Extender Tab -> Extensions -> Add (Good to know: CTRL+Click on a extension to reload it)

Installation from BApp Store

This extension is available in the BApp Store.

You can’t perform that action at this time.