JWT Inspector
Keys
Generate key pair
PEM < - > JWK convertor
Attacks
Secret brute-force
Algorithm confusion (CVE-2016-5431)
JWK injection (CVE-2018-0114)
Source
None
Update in
This source
All sources
Algorithm
None
HS256
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512
Header
Payload
Signature
None
HMACSHA256
(
base64UrlEncode(header) + "." + base64UrlEncode(payload)
,
your-secret-here
)
RSASHA256
(
base64UrlEncode(header) + "." + base64UrlEncode(payload)
,
,
)
Generate key pair
Select algorithm
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512
PEM
JWK
Public key
Private key
Public key
Private key
Generate
Download
PEM <--> JWK convertor -
Select algorithm
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512
PEM to JWK
JWK to PEM
Algorithm/Key confusion attack (CVE-2016-5431)
Read more
The following conditions need to be met :
The application must expect the JWT to be signed with a public key based algorithm (i.e, RSxxx or ESxxx)
The application must not check which algorithm the JWT is actually using for the signature
The public key used to verify the JWT must be available to the attacker
Error
Type
Token
Generate
JWK injection attack (CVE-2018-0114)
Read more
The application should support JSON Web Key (JWK) embedded within the header of a JWT
Select algorithm
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512
Create key pair
Error
Token
Generate
Brute-force JWT secret
Read more
The following conditions need to be met:
The JWT must be signed with using a HMAC-based algorithm (such as HS256)
Default dictionary is:
https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list
Error
The secret is:
Brute-force
Load dictionary
Operation error
Close