Documentation & Learning Resources
Back to Tool

JWT Editor Guide

Advanced Tool Updated: May 2024

The JWT Editor is a powerful tool that allows you to modify existing JWT tokens by editing their headers and payloads, then re-signing them with different algorithms and keys. This is essential for testing JWT implementations and exploring potential security vulnerabilities.

What is JWT Editing?

JWT editing involves modifying the contents of a JWT token while maintaining its structural integrity. This includes:

  • Header modification: Changing algorithm, type, or other header parameters
  • Payload modification: Altering claims like user ID, roles, expiration time
  • Re-signing: Generating a new signature with a different key or algorithm
  • Algorithm confusion: Testing how applications handle algorithm changes
Use Cases: JWT editing is commonly used for privilege escalation testing, authentication bypass attempts, and exploring JWT implementation flaws.

How to Use the JWT Editor

Step 1: Navigate to the Tool

Click on the "✏️ JWT Editor" tab in the main JWTAuditor interface.

Step 2: Load a JWT Token

Paste your JWT token in the "JWT Token to Edit" field and click "Load JWT". The tool will:

  • Parse and validate the token structure
  • Extract the header and payload
  • Display them in editable JSON format
  • Set the signature algorithm selector

Tip: The editor automatically formats JSON for better readability. Ensure your modifications maintain valid JSON syntax, or the tool will display a validation error.

Step 3: Edit the Header

Modify the header JSON in the Header editor. Common modifications include:

Algorithm Change

{
  "alg": "none",  // Changed from "HS256"
  "typ": "JWT"
}

Adding Key ID

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "../../etc/passwd"  // Path traversal attempt
}

Step 4: Edit the Payload

Modify the payload JSON to change claims. Common testing scenarios:

Privilege Escalation

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",  // Changed from "user"
  "iat": 1516239022,
  "exp": 1516242622
}

User Impersonation

{
  "sub": "999999999",  // Changed user ID
  "name": "Administrator",
  "role": "admin",
  "iat": 1516239022,
  "exp": 1516242622
}

Step 5: Configure Signature Options

Choose the signing algorithm and provide the necessary keys:

none Algorithm

No signature required. Used to test if the application accepts unsigned tokens.

Risk: Complete authentication bypass if accepted.

HMAC Algorithms (HS256, HS384, HS512)

Requires a shared secret key. Use known or brute-forced secrets.

Example: mysecretkey

RSA Algorithms (RS256, RS384, RS512)

Requires a private key for signing. Use for testing with known private keys.

Note: Only the private key is needed for signing.

Step 6: Generate the Modified Token

Click "Generate JWT" to create the modified token. The tool will:

  • Validate the JSON syntax
  • Update the algorithm in the header
  • Generate the appropriate signature
  • Display the complete modified JWT

Step 7: Copy and Test

Use the "Copy to Clipboard" button to copy the modified token and test it in your target application.

Common Attack Scenarios

1. Algorithm Confusion Attack

Test if the application accepts tokens with different algorithms:

none Algorithm Bypass

Change the algorithm to "none" to test if the application accepts unsigned tokens.

// Original Header
{
  "alg": "HS256",
  "typ": "JWT"
}

// Modified Header
{
  "alg": "none",
  "typ": "JWT"
}

HMAC to RSA Confusion

Change from HMAC to RSA algorithm using the RSA public key as HMAC secret.

// Original Header
{
  "alg": "RS256",
  "typ": "JWT"
}

// Modified Header
{
  "alg": "HS256",
  "typ": "JWT"
}

Then use the RSA public key as the HMAC secret when re-signing.

2. Privilege Escalation

Modify user roles and permissions in the payload:

// Original Payload
{
  "sub": "1234567890",
  "name": "Regular User",
  "role": "user",
  "permissions": ["read"]
}

// Modified Payload
{
  "sub": "1234567890",
  "name": "Regular User",
  "role": "admin",
  "permissions": ["read", "write", "delete", "admin"]
}

3. Token Expiration Bypass

Extend or remove expiration times:

// Original Payload (expired)
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622  // Past expiration
}

// Modified Payload (future expiration)
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1915934400  // Year 2030
}

4. User Impersonation

Change user identifiers to impersonate other users:

// Original Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "john@example.com"
}

// Modified Payload
{
  "sub": "0000000001",  // Admin user ID
  "name": "Administrator",
  "email": "admin@example.com"
}

Advanced Features

Signature Verification

The JWT Editor includes a signature verification feature to test if a secret key is correct:

  1. Load a JWT token
  2. Enter a suspected secret key
  3. Click "Verify Signature"
  4. The tool will confirm if the key is valid

JSON Validation

The editor automatically validates JSON syntax and provides error messages for invalid JSON structures.

Algorithm Support

JWTAuditor supports all common JWT algorithms:

  • none: No signature
  • HS256/HS384/HS512: HMAC with SHA-256/384/512
  • RS256/RS384/RS512: RSA with SHA-256/384/512

Best Practices

For Penetration Testers

  • Always test the original token before modifications
  • Start with simple modifications (algorithm change)
  • Test each modification separately to identify what works
  • Document successful modifications for reporting
  • Consider the business impact of successful modifications

For Developers

  • Use this tool to test your JWT validation logic
  • Verify that your application rejects modified tokens
  • Test algorithm confusion scenarios
  • Ensure proper signature verification
  • Validate all claims thoroughly

Security Testing Checklist

  • ☐ Test "none" algorithm acceptance
  • ☐ Test HMAC to RSA algorithm confusion
  • ☐ Test privilege escalation through role modification
  • ☐ Test user impersonation through ID changes
  • ☐ Test expiration bypass
  • ☐ Test signature verification with invalid keys
  • ☐ Test malformed JSON handling

RSA Key Management

Private Key Format

RSA private keys should be in PEM format:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA2Z3QX0BTLS5+o6zXITG3MuHE8PVDRvn1wQ3lTe7YmQsS8U8a
...
-----END RSA PRIVATE KEY-----

Key Generation

You can generate RSA keys using OpenSSL:

# Generate private key
openssl genrsa -out private_key.pem 2048

# Extract public key
openssl rsa -in private_key.pem -pubout -out public_key.pem

Testing with Public Keys

For algorithm confusion attacks, you may need to use the public key as an HMAC secret. Convert the public key to the appropriate format first.

Troubleshooting

Q: I get "Invalid JSON" errors when editing

A: Ensure your JSON is properly formatted with correct quotes, commas, and brackets. Use a JSON validator if needed.

Q: The signature verification fails

A: Double-check that you're using the correct secret key and that it matches the algorithm. For RSA, ensure you're using the private key.

Q: The application still rejects my modified token

A: The application may have additional validation beyond signature verification. Check that all claims are valid and that the token structure is correct.

Q: How do I know if my attack succeeded?

A: Test the modified token in the target application. Look for successful authentication, access to restricted resources, or elevated privileges.

Security Considerations

Legal Notice: Only use this tool on systems you own or have explicit permission to test. Unauthorized modification of authentication tokens may violate laws and terms of service.
Privacy: All token editing is performed locally in your browser. No tokens or keys are transmitted to external servers.

Additional security considerations:

  • Be aware that your testing activities may be logged
  • Consider the impact of successful privilege escalation
  • Document all successful attacks for remediation
  • Follow responsible disclosure practices

Related Tools

Combine the JWT Editor with other JWTAuditor tools for comprehensive testing:

Decoder & Analyzer

Analyze tokens before editing to identify potential vulnerabilities

Secret Bruteforcer

Discover weak secrets that can be used for re-signing tokens

JWT Generator

Create completely new tokens for testing purposes