$loading...
Learn how to test JSON Web Token implementations for algorithm confusion, signature bypass, claim manipulation, and key disclosure vulnerabilities.
Base64-decode the JWT header and payload to understand the algorithm, claims, and structure. Identify the signing algorithm (HS256, RS256, etc.), expiration, and custom claims that control access.
echo "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIn0.xxx" | cut -d. -f1 | base64 -d
Use Payload Playground JWT Decoder tool
Change the algorithm in the header to "none" and remove the signature. If the server does not enforce algorithm verification, it will accept the unsigned token.
{"alg":"none","typ":"JWT"}{"alg":"None","typ":"JWT"}{"alg":"NONE","typ":"JWT"}{"alg":"nOnE","typ":"JWT"}If the server uses RS256 (asymmetric), try changing to HS256 (symmetric) and sign with the public key. The server may use the public key as the HMAC secret.
Header: {"alg":"HS256","typ":"JWT"}Sign with the RSA public key as HMAC secret
Modify payload claims to escalate privileges. Change user roles, user IDs, email addresses, or any claim used for authorization decisions. Re-sign with a weak or known secret.
{"sub":"admin","role":"administrator"}{"user_id":1,"is_admin":true}{"email":"admin@target.com"}If HS256 is used, attempt to brute-force the signing secret. Many applications use weak or default secrets. Tools like hashcat and jwt_tool can crack JWT secrets.
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
jwt_tool TOKEN -C -d wordlist.txt
Common secrets: secret, password, 123456, key
Check if expired tokens are still accepted, if token revocation works, and if refresh tokens can be reused. Test for race conditions in token refresh flows.
Set "exp" to a past date and replay
Reuse a refresh token after rotation
Send expired access token without refresh
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides