JWTF has two main purposes:
- Allow to manually decode, analyze, and alter JSON Web Tokens (JWTs).
- Automatically generate manipulated JWTs to be used in penetration tests, security audits, bug bounty hunting, and CTFs.
JWTF was developed by Hackmanit and Niklas Conrad.
JWTF supports all well-known attacks against the validation of JWTs and automatically applies these attack vectors to a given JWT. As an output it generates a text file with all manipulated tokens. This text file can then be used in semi-automated tests, for example using the "Intruder" feature of Burp Suite.
This eases the process of testing an implementation for vulnerabilities in its JWT validation logic.
- Decode/Encode JWTs
- Sign/Verify JWTs
- Beautify/Minify JSON in the token's header and body
- Support for invalid JSON in the token's header or body
- Apply all* well-known attacks against JWTs to a given JWT
- Encrypt/Decrypt JSON Web Encryption (JWE)
- Generate keys for signing JWTs
- Convert PEM to JWK and vice versa
- Support for all signature algorithms specified in RFC 7518
- Support for (almost) all encryption algorithms specified in RFC 7518
More information will follow soon.
*as of 2025-08-14
More information will follow soon.
Simply access https://jwt.wtf/ to use JWTF. There is no need to download this repository unless you want to contribute in the development of JWTF or want to use JWTF locally.
A blog post providing more information about JWTF will be released in the future here:
Cyber Security Blog - Hackmanit
JWTF was developed as a part of a bachelor's thesis by Niklas Conrad. You can find results of the bachelor's thesis publicly available here:
- Soon: Bachelor's Thesis (PDF)
JSON Web Token Forgery (JWTF) was developed by Hackmanit and Niklas Conrad as a part of his bachelor's thesis. JWTF is licensed under the Apache License, Version 2.0.
