JWT Vulnerability Analyzer

A lightweight, command-line security analysis tool for inspecting JSON Web Tokens (JWTs) and identifying common authentication misconfigurations.

This project focuses on analysis, not exploitation, and is designed to demonstrate secure design review and application security fundamentals.

---

Project Objective

JWTs are widely used for authentication and authorization, but incorrect implementation often leads to serious security vulnerabilities.

This tool analyzes a given JWT and reports:

• Insecure or dangerous signing algorithms
• Missing security-critical claims
• Token lifetime issues

The goal is to help developers and security engineers identify weaknesses early in the authentication design.

---

What This Tool Detects

Algorithm Issues

• Use of alg: none
• Use of symmetric algorithms (e.g., HS256) where asymmetric signing may be more appropriate

Claim Issues

Checks for missing or weakly implemented claims(follows the JWT specification (RFC 7519)):

• exp (expiration)
• iat (issued at)
• iss (issuer)
• aud (audience)

⏱ Token Lifetime Issues

• Excessively long token validity periods

---

What This Tool Does NOT Do

• No brute forcing of secrets
• No token forging or manipulation
• No exploitation of live systems
• No signature verification bypass attempts

---

Tech Stack

• Python 3
• pyjwt
• Standard Python libraries (argparse, json)

---

Installation and Usage

Clone the repository and install the tool locally:

#Fork and clone the repo then
cd jwt-vulnerability-analyzer

If running directly from source without installing:

pip install -r requirements.txt
python analyzer.py --token <JWT_TOKEN>

Using as a CLI tool:

pip install -e .

jwt-analyzer --token <JWT_TOKEN>

Demo

Example analysis:

jwt-analyzer --token eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

CLI Output:

+────────────────────────────+
| JWT Vulnerability Analyzer |
+────────────────────────────+

Issue                                    | Severity
-------------------------------------------------------
Insecure JWT algorithm                   | HIGH
Missing claim: exp                       | MEDIUM
Missing claim: iat                       | MEDIUM
Missing claim: iss                       | MEDIUM
Missing claim: aud                       | MEDIUM

[+] Analysis complete. 5 issues found.
[+] Results saved to output/findings.json

Output/findings.json

[
  {
    "issue": "Insecure JWT algorithm",
    "details": "JWT uses 'none' algorithm which disables signature verification",
    "severity": "High"
  },
  {
    "issue": "Missing claim: exp",
    "details": "JWT does not contain 'exp' claim",
    "severity": "Medium"
  },
  {
    "issue": "Missing claim: iat",
    "details": "JWT does not contain 'iat' claim",
    "severity": "Medium"
  },
  {
    "issue": "Missing claim: iss",
    "details": "JWT does not contain 'iss' claim",
    "severity": "Medium"
  },
  {
    "issue": "Missing claim: aud",
    "details": "JWT does not contain 'aud' claim",
    "severity": "Medium"
  }
]

Sample Tokens

The samples/ directory contains intentionally insecure and dummy JWTs for testing and demonstration purposes.

These tokens:

• Are not real
• Contains no secrets
• Must never be used in production

Future Enhancements

• AI-assisted explanations and remediation guidance
• MITRE ATT&CK mapping for detected issues
• Dockerized execution
• Enhanced output formats

Use Cases

• Application Security (AppSec) learning
• Secure design reviews
• JWT implementation validation
• Security education and demos

LICENSE

Apache License 2.0