A fully client-side JWT decoder, signature verifier, and vulnerability scanner — no backend required, no data transmitted.
# Just open index.html in any modern browser
open index.html# Python
python3 -m http.server 8080
# Node (http-server)
npx http-server -p 8080
# Then visit: http://localhost:8080jwt-analyzer/
├── index.html # Main application (single-file, self-contained)
├── src/
│ └── rules.js # Modular vulnerability rules + types (ESM module)
└── README.md # This file
rules.js is provided as a standalone ESM module for integration into other tools, CI pipelines, or Node.js test scripts. The index.html bundles equivalent logic inline for zero-dependency browser use.
- JWT Decoder — Split and base64url-decode header + payload with syntax highlighting
- Claim Tooltips — Hover over any claim name for RFC description
- Time Display — Human-readable iat/exp with countdown/elapsed
- HS256 / HS384 / HS512 via Web Crypto API (browser-native)
- RS256 / RS384 / RS512 with PEM public key
- All computation 100% client-side
| Rule ID | Name | Severity |
|---|---|---|
| ALG_NONE | Algorithm "none" detected | 🔴 Critical |
| HEADER_INJECTION | JKU/X5U/JWK header fields | 🔴 Critical |
| WEAK_SECRET | Secret under 256 bits | 🔴 Critical |
| TOKEN_EXPIRED | Token past exp claim | 🟠 High |
| MISSING_EXP | No expiration claim | 🟠 High |
| PAYLOAD_INJECTION | XSS/SQL patterns in claims | 🟠 High |
| DEPRECATED_ALG | SHA-1 based algorithm | 🟠 High |
| HS256_SYMMETRIC | Shared secret risk | 🟡 Medium |
| LONG_EXPIRY | Lifetime > 30 days | 🟡 Medium |
| MISSING_AUD | No audience claim | 🟡 Medium |
| MISSING_IAT | No issued-at claim | 🟢 Low |
| MISSING_NBF | No not-before claim | 🟢 Low |
- Edit payload in real-time JSON editor
- Re-sign with provided HMAC secret
- Side-by-side diff (original vs tampered)
- Load forged token for immediate re-analysis
- 0–100 score with grade A–F
- Visual progress bar
- Severity breakdown
- Summary recommendation
- alg:none attack demo
- Weak secret brute-force explanation
- No-expiry persistent token
- JKU header injection
- Valid best-practice reference token
- 10 structured test cases (Functional, Security, Negative, Privacy, Usability)
- Export as JSON for test management tools
All processing is 100% client-side:
- No network requests for token data
- No analytics or telemetry
- No localStorage usage
- Works fully offline after initial load
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwibmFtZSI6IkFsaWNlIiwicm9sZSI6InVzZXIiLCJpYXQiOjE3MDAwMDAwMDAsImV4cCI6MTcwMDAwMzYwMCwiYXVkIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20iLCJuYmYiOjE3MDAwMDAwMDB9.placeholder
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwMDAwMDAwMH0.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwicm9sZSI6InVzZXIiLCJpYXQiOjE3MDAwMDAwMDB9.WgVWCQ5tdK-GsFQiCkVpE3wM5FhpwIHZ8S5xFaRMDLc
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyNDU2IiwibmFtZSI6IkphbmUgRG9lIiwicm9sZSI6ImFkbWluIn0.Kx3MJEqDpG3K7zHJTq3_3nUWUfhBYIe-GNi9QvPxAD4
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImpraSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2tleXMuanNvbiJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJzdXBlcmFkbWluIn0.fakesig
The codebase is structured to support:
| Feature | Status |
|---|---|
| JWK URL verification (fetch & match) | 🗓 Planned |
| OAuth token introspection endpoint | 🗓 Planned |
| Save/print report as PDF | 🗓 Planned |
| Export vulnerability report (JSON ✅, PDF 🗓) | Partial |
| Swagger/OpenAPI JWT import | 🗓 Planned |
Add a new rule to src/rules.js:
{
id: 'MY_RULE',
check: (header, payload, meta) => {
if (/* your condition */) {
return {
id: 'MY_RULE',
name: 'My Rule Name',
severity: 'medium', // critical | high | medium | low
description: 'What is wrong',
exploit: 'How attackers use this',
fix: 'How to fix it',
ref: 'CVE or RFC reference',
scoreDeduction: 10
};
}
return null; // no issue
}
}Then add the rule to VULNERABILITY_RULES array. The scanner auto-picks it up.
- RFC 7519 — JSON Web Token
- RFC 7518 — JSON Web Algorithms
- OWASP JWT Cheat Sheet
- CVE-2015-9235 — jwt-simple alg:none
- CVE-2018-0114 — JKU header injection
- NIST SP 800-131A Rev 2 — Algorithm deprecation
This tool is for educational and authorized security testing purposes only. Do not use it to test systems you do not own or have explicit written permission to test.