jwt_tool
jwt_tool jwt_tool is the all-in-one JWT manipulator for decoding, signing, and fuzzing tokens with alg confusion or none attacks, perfect for testing auth bypasses in APIs. Run its Python script on captured JWTs, tampering claims or keys for validity checks, and export modified versions for replay. Open-source from ticarpi, it's the token tinkerer for pentesters dissecting session security layer by layer.
Explore →oauth2-tester
oauth2-tester oauth2-tester is the framework for probing OAuth flows, fuzzing grant types and scopes to detect misconfigs like open redirects or token leaks in authorization servers. Script custom endpoints in Python, simulating client requests for response validation. Open-source from community, it's the flow fuzzer for API auditors templating OAuth vuln chains.
Explore →jwt-cracker
jwt-cracker jwt-cracker is the offline brute-forcer for weak HS256 keys in JWTs, wordlisting against captured tokens to recover secrets for replay or forgery tests. Feed it tokens and dicts via CLI, monitoring progress for hits in seconds. Open-source from brendan-rius, it's the key kracker for pentesters cracking symmetric signing flaws.
Explore →oauth-fuzzer
oauth-fuzzer oauth-fuzzer mutates OAuth params like client_id or redirect_uri with edge cases, testing for injection or redirection flaws in consent screens. Configure via Go flags, running against /authorize endpoints for anomaly logs. Open-source from frikilnik, it's the param punisher for OAuth pros fuzzing token issuance vectors.
Explore →burp-jwt-editor
Burp JWT Editor burp-jwt-editor is the Burp extension for inline JWT decoding and editing, swapping algs or claims during proxy sessions to test signature bypasses. Install via BApp Store, right-click tokens in Repeater for tamper previews. Open-source from PortSwigger, it's the token tamper for web pentesters validating JWT handling in transit.
Explore →oidc-client
OIDC Client OIDC Client is the testing lib for OpenID Connect flows, simulating clients to probe discovery endpoints and token introspection for misissued scopes or expiry issues. Use its Go package to craft requests, validating responses against RFCs. Open-source from coreos, it's the OIDC oracle for API devs templating auth flow validations.
Explore →jwt-validate
JWT Validate jwt-validate is the verifier for JWT integrity, checking sigs, claims, and expiry with custom key resolvers for testing token revocation in auth servers. Integrate its Rust crate into tests, running batches on captured sets for compliance. Open-source from cristalhq, it's the token truth-teller for security teams auditing JWT lifecycles.
Explore →oauth2-introspect
OAuth2 Introspect oauth2-introspect is the token introspection tool for OAuth2/OIDC, querying /introspect endpoints to validate active scopes and audiences in revocation tests. Script its Python client with client creds, parsing responses for expiry flags. Open-source from community, it's the introspection inquisitor for pentesters probing token states post-issuance.
Explore →token-fuzzer-jwt-oauth
Token Fuzzer JWT/OAuth token-fuzzer-jwt-oauth mutates JWT claims and OAuth params with bit flips or overflows, testing parser robustness for crashes or leaks in auth handlers. Define corpora via YAML, run Go CLI on endpoints for crash repros. Open-source from frikilnik, it's the token tormentor for API fuzzers stressing format boundaries.
Explore →auth0-jwt-decode