JWT Scanner

JWT Scanner is a Burp Suite extension designed for the automated testing of JSON Web Token (JWT) implementations in web applications.

Features

• Automatically detects JWTs in requests.
• Allows manual selection of target JWTs.
• Supports forging public keys with two different JWTs.
• Checks for various vulnerabilities, including:
  • Missing or invalid signatures.
  • Expired JWTs or those without expiry.
  • Vulnerabilities related to "none" algorithm, CVE-2022-21449, and public key injection.
  • Exposed public keys and algorithm confusion.
  • Status code 500 alerts for potential issues.

Usage

Run an active scan or manually select a request to check:

• Go to Proxy/Repeater/Target/Logger/Intruder
• Select a request that requires authentication with a valid JWT and returns a HTTP 200 response.

Automatically detect JWT:

• Right-click on the request you want to check.
• Select Extension -> JWT Scanner -> Scan (autodetect).
• If a vulnerability is identified, an issue is generated.

Manually select JWT:

• Highlight the target JWT in the request.
• Right-click the highlighted JWT request.
• Select Extension -> JWT Scanner -> Scan selected.
• If a vulnerability is identified, an issue is generated.

Forging public keys:

• If a public key is not exposed, you can try forging one:
• Select two base requests, each containing one different JWT.
• Right-click the highlighted JWT requests.
• Select Extension -> JWT Scanner -> Forge public key.
• Investigate the Event and Issue log.
• If successful, rerun "Scan (autodetect)" or "Scan selected".