JWTXposer is an automated reconnaissance tool that scans public archives like the Wayback Machine, extracts leaked JWT tokens, and decodes them to identify potentially exploitable information.
Built specifically for bug bounty hunters, red teamers, and CTF players, JWTXposer eliminates manual JWT hunting and highlights juicy claims like userId, access_token, scope, authType, etc.
It performs automated passive recon, live endpoint analysis, and JWT decoding to extract juicy tokens that may lead to:
- π Broken access control
- π Privilege escalation
- π΅οΈββοΈ Token replay attacks
- 𧬠Weak signing key discovery
Many applications expose JWTs:
- In old, archived endpoints (e.g. via Wayback Machine)
- Inside query parameters or API paths
- Embedded in URLs, JS files, or redirects
These tokens may still:
- Be valid for replay
- Contain sensitive claims (like roles, user IDs, access tokens)
- Be improperly validated (
alg: none, expired tokens accepted)
- Scrapes Wayback Machine for archived endpoints
- Extracts JWTs from URLs, query strings, and path parameters
- Automatically decodes** JWTs (no secret key required)
- Highlights sensitive JWT claims** (userId, scope, authType, etc.)
- Checks for live endpoints that are still accessible
- Uses
multi-threadingfor speed (configurable!) - Saves results in structured JSON output
- Outputs colorized summary table using
rich
Watch JWTXposer in action:
git clone https://github.com/yourusername/JWTXposer.git
cd JWTXposerpip install -r requirements.txtResults are saved in:
jwt_results.json
- Token replay testing (auto)
- Burp Suite plugin mode
- GitHub / Google dorking module
- JWT fuzzing (role, alg, scope)
- Anomaly detection on tokens (ML-based)