Free & Open Source · Burp Suite Extension

The Most Complete
JWT Security Scanner
for Burp Suite

JWTLens automatically detects and exploits JWT vulnerabilities as you browse. 62 security checks — passive scanning, algorithm confusion, KID injection, weak secrets, JWT Forge editor, and secret extraction. Built for real penetration testing.

62
Security Checks
31
High Severity
200+
Built-in Secrets
Free
MIT License
Download Free on GitHub See it in action →
JWTLens — JWT Security Scanner for Burp Suite logo with magnifying glass analyzing JWT tokens
Why JWTLens

Everything JWT Security Needs,
Built Into Burp

No other Burp extension covers the full JWT attack surface. JWTLens runs automatically in the background and gives you a complete toolkit when you want to go deeper.

🔍

Automatic Passive Scanning

23 passive checks run on every request and response flowing through Burp Proxy. No configuration required — JWT misconfigurations are flagged the instant they appear in your traffic.

⚔️

33 Active Attack Checks

One right-click triggers all known JWT attack vectors: algorithm none (16 permutations), algorithm confusion with real JWKS parsing, KID injection, header injection, claim tampering, and CVE-2022-21449.

🔬

JWT Forge Tab

A live jwt.io-style editor built into Burp. Paste any JWT, edit headers and claims, re-sign with any algorithm, and export as a ready-to-use cURL or Python script. Discovered secrets auto-load.

🕵️

Passive Secret Extraction

Automatically scans every JS, JSON, HTML, and text response for hardcoded JWT secrets, RSA/EC private keys, inline JWKS, and Base64-encoded secrets. Feeds directly into active attacks.

💥

Real Algorithm Confusion

The RS256 to HS256 attack fetches the server's actual public key from JWKS endpoints, follows OIDC discovery, and uses keys found by the secret extractor — so it actually works on real targets.

📊

Findings Dashboard

Color-coded severity table (High, Medium, Low, Info) with full advisory panel, decoded JWT view, smart deduplication per host, and one-click CSV export for reporting.

🔑

Weak Secret Brute Force

Offline HMAC verification against 200+ built-in secrets plus any secrets discovered by the extractor during your session. Custom wordlist upload supported — all from the Burp UI.

🔄

Request + Response Aware

All actions search both the HTTP request and response for JWTs. When multiple tokens are found, a picker dialog lets you choose. Each JWT is labeled with its source location.

Screenshots

See JWTLens in Action

Real screenshots from live testing sessions against PortSwigger JWT labs and intentionally vulnerable applications.

JWTLens passive scanning in Burp Suite — site map view showing 20+ JWT findings detected automatically including weak HMAC secret, exposed secrets, and header injection vulnerabilities

Instant Passive Detection in Burp Proxy

Just browse with Burp running. JWTLens automatically intercepts every request and response, detecting JWT tokens and analyzing them in real time. The Burp Issues tab fills up with color-coded findings before you even run an active scan.

  • Detects JWTs in headers, cookies, URL params, and response bodies
  • Checks for missing expiry, insecure cookie flags, sensitive data exposure
  • Flags dangerous header parameters: kid, jku, x5u, x5c, jwk
  • Zero configuration — works from the moment you install it
JWTLens findings dashboard in Burp Suite — color-coded severity table with 35 findings, advisory panel, scanner settings, and brute force wordlist configuration

Centralized Findings Dashboard

The JWTLens tab gives you a dedicated security dashboard inside Burp Suite. All JWT findings in one place, sortable by severity, with full advisory details and remediation guidance for every issue.

  • Color-coded severity: red High, orange Medium, blue Low, gray Info
  • Full advisory panel with remediation guidance per finding
  • Decoded JWT panel shows header, payload, and signature
  • Scanner settings, custom wordlist upload, and CSV export
JWTLens right-click context menu in Burp Suite Proxy — showing Run Passive Checks, Run Full Active Scan, Brute Force Secret Only, Send to JWT Forge, and Decode JWT options

One Right-Click to Attack

Right-click any request in Proxy, Repeater, Intruder, or Logger to access the full JWTLens attack menu. Run passive checks, fire all active attacks, or send the token straight to the Forge tab for manual editing.

  • Run Passive Checks — instant analysis, no requests sent
  • Run Full Active Scan — all 33 attack vectors in one click
  • Brute Force Secret Only — offline HMAC cracking
  • Send to JWT Forge — edit and re-sign the token
  • Works on JWTs found in both request and response
JWTLens JWT Forge tab — live JWT editor with algorithm selector, discovered secret auto-filled, editable payload showing admin role, and forged token output ready to copy

JWT Forge — Live Token Editor

JWT Forge is a full jwt.io-style editor built directly into Burp Suite. When brute force cracks a secret, the token and secret are automatically loaded into Forge so you can immediately re-sign with elevated privileges.

  • Paste any JWT — instantly decodes with syntax coloring
  • Algorithm selector: none, HS256/384/512, RS256/384/512
  • One-click "Use Discovered Secret" from the extractor
  • Export as cURL command or Python requests script
  • Loaded automatically when brute force finds the secret
Coverage

62 JWT Security Checks

The most complete JWT check coverage of any Burp extension. Every known JWT attack vector, misconfiguration, and CVE.

A01Algorithm None attack — all 16 case permutations of "none"High
A02Invalid signature accepted — verification not enforcedHigh
A03Signature stripping — empty signature acceptedHigh
A04Expired JWT accepted by serverHigh
A05Empty secret key accepted (HMAC with empty password)High
A06Weak secret brute force — 200+ built-in + extracted secretsHigh
A07Algorithm confusion RS256→HS256 with real JWKS public keyHigh
A08JWK header injection — self-signed key embedded in tokenHigh
A09JKU header injection — attacker-controlled JWKS URLHigh
A10JKU SSRF pingback — server makes outbound requestMedium
A11X5U header injection — attacker-controlled certificate URLHigh
A12X5C header injection — self-signed certificate in tokenHigh
A13KID path traversal — 10+ traversal paths including /dev/nullHigh
A14KID SQL injection — UNION SELECT, OR bypass, error-basedHigh
A15KID command injection — time-based with sleep payloadsHigh
A16KID LDAP injection — wildcard and filter manipulationHigh
A17Not Before (nbf) claim not enforcedMedium
A18Claim tampering — admin, role, sub privilege escalationHigh
A19Subject claim enumeration — user ID discoveryMedium
A20CVE-2022-21449 Psychic Signatures — Java ECDSA zero bypassHigh
A21ECDSA signature malleabilityLow
A22Cross algorithm signing — HS384, HS512 with empty/known keyHigh
A23Null signature bytes acceptedHigh
A24Token accepted beyond reasonable clock skew toleranceMedium
A25Algorithm confusion with forged public key (Sign2n)High
A26Weak RSA key size — modulus under 2048 bitsHigh
A27JWKS endpoint discovery — well-known pathsInfo
A28Payload modification accepted without re-signingHigh
A29typ header manipulation acceptedLow
A30Token confusion between endpoints — cross-service replayMedium
A31Token still valid after logoutMedium
A32Token still valid after password changeMedium
A33JWKS spoofing via well-known path overrideHigh
P01JWT detected in HTTP trafficInfo
P02JWT exposed in URL query parameterMedium
P03JWT exposed in URL fragmentMedium
P04JWT cookie missing HttpOnly flagMedium
P05JWT cookie missing Secure flagMedium
P06JWT cookie missing SameSite attributeLow
P07JWT missing expiration (exp) claimHigh
P08JWT has excessive lifetime (configurable threshold)Low
P09Sensitive data in JWT payload — emails, passwords, API keysMedium
P10Expired JWT still being sent in requestsInfo
P11Missing issuer (iss) claimLow
P12Missing audience (aud) claimLow
P13Symmetric algorithm detected — brute force advisoryInfo
P14JWT leaked in HTTP response bodyMedium
P15kid (Key ID) parameter presentInfo
P16jku (JWKS URL) parameter presentLow
P17x5u (X.509 Certificate URL) parameter presentLow
P18x5c (X.509 Certificate Chain) parameter presentLow
P19jwk (Embedded JSON Web Key) parameter presentLow
P20Nested JWT detected inside payloadInfo
P21Weak or deprecated signing algorithmMedium
P22Missing not before (nbf) claimInfo
P23Missing unique identifier (jti) claimInfo
S01JWT signing secret extracted from JS/JSON/HTML responseHigh
S02RSA/EC private key exposed in HTTP responseHigh
S03RSA public key found in HTTP responseLow
S04Inline JWKS found in response bodyLow
S05JWKS URL reference discovered in responseInfo
S06Base64-encoded secret decoded from responseHigh
Comparison

JWTLens vs Other JWT Extensions

Every other Burp JWT extension covers a fraction of the attack surface. JWTLens was built to fix that.

Other JWT Extensions

  • No passive scanning — manual only
  • ~16 active checks
  • Duplicate findings on every request
  • No weak secret brute force
  • No KID SQL / command / LDAP injection
  • No x5u / x5c header injection
  • No claim tampering tests
  • No cookie security checks
  • No JWT editor with re-signing
  • No secret extraction from JS responses
  • Algorithm confusion uses generated keys — never works on real targets
  • No CSV export, no custom wordlist

JWTLens

  • 23 passive checks on every request automatically
  • 33 active checks — full attack surface
  • Smart deduplication per host + JWT signature
  • 200+ built-in secrets + custom wordlist
  • KID SQL, command, and LDAP injection
  • Full x5u and x5c header injection
  • Role, admin, sub privilege escalation
  • HttpOnly, Secure, SameSite cookie checks
  • JWT Forge tab with live editing and signing
  • Passive secret extraction from JS/JSON/HTML
  • Algorithm confusion with server's real public key
  • CSV export, custom wordlist, full findings dashboard
Installation

Get Started in 3 Minutes

JWTLens requires Java 17+ and Burp Suite Professional or Community Edition 2024.1+.

1

Clone and Build

Clone the repo and build the JAR with Gradle. No dependencies to install beyond Java.

2

Open Burp Suite

Go to Extensions → Installed → Add. Set Extension Type to Java.

3

Load the JAR

Select build/libs/jwtlens-1.0.0.jar and click Next. Two new tabs appear immediately.

4

Start Browsing

JWTLens is fully active. Browse any target app and findings appear automatically.

# Clone the repository
git clone https://github.com/chawdamrunal/JWTLens.git
cd JWTLens/jwtlens-burp

# Build the JAR (requires Java 17+)
./gradlew clean jar

# JAR is now at:
build/libs/jwtlens-1.0.0.jar

# Load in Burp Suite:
Extensions → Installed → Add → Java → Select JAR → Next
FAQ

Frequently Asked Questions

What is JWTLens and what does it do?
JWTLens is a free, open-source Burp Suite extension that automatically scans JWT (JSON Web Token) tokens for security vulnerabilities. It performs 62 security checks including algorithm none attacks, algorithm confusion (RS256 to HS256), KID injection (SQL, command, LDAP), weak secret brute force, header injection (JWK, JKU, x5u, x5c), claim tampering, and cookie security checks. It also includes a live JWT editor called JWT Forge and a passive secret extractor.
Does JWTLens work with Burp Suite Community Edition?
Yes. JWTLens works with both Burp Suite Professional and Community Edition (version 2024.1 or later with Montoya API support). You need Java 17 or later to run it. There is no paid version — JWTLens is completely free under the MIT license.
What makes JWTLens different from other Burp JWT extensions?
JWTLens is the only Burp JWT extension with full passive scanning (23 checks run on every request automatically), a live JWT editor with signing (JWT Forge), passive secret extraction from JS/JSON responses, and proper JWKS-based algorithm confusion attacks that actually work on real targets. Other extensions cover ~16 active checks only, with no passive scanning, no JWT editor, and no secret extraction.
What is the JWT Forge tab?
JWT Forge is a dedicated Burp tab that works like jwt.io but with attack capabilities. You can paste any JWT to decode it, edit the header and payload JSON, change the algorithm, enter a secret or private key, and sign a new token. The signed token can be copied directly, or exported as a cURL command or Python requests script. When brute force cracks a secret, the token and secret are automatically loaded into Forge so you can immediately re-sign with elevated privileges.
How does the algorithm confusion attack work in JWTLens?
JWTLens implements a multi-phase approach for the RS256 to HS256 algorithm confusion attack. It first fetches JWKS from well-known endpoints, then follows the OpenID Connect discovery document for a jwks_uri, then uses any public keys discovered by the passive Secret Extractor from JS/API responses. It tests each real key in both DER and PEM encoding as the HMAC secret. This means it actually works against real targets where other extensions always fail because they use generated keys that the server never recognizes.
Where can I test JWTLens to see all checks in action?
The best targets are PortSwigger JWT Labs (free, covers algorithm none, weak keys, JWK injection, JKU injection, KID path traversal, algorithm confusion), Broken Crystals (Docker, widest JWT attack range), WebGoat (Docker, JWT section with 4 challenges), and OWASP Juice Shop (Docker, weak secret challenges).

Ready to Test Your JWT Security?

JWTLens is free, open-source, and works with Burp Suite Community Edition. Start finding JWT vulnerabilities in minutes.

Download on GitHub — It's Free View Screenshots →