Select Attack Category
Algorithm Attacks
🚫
None Algorithm Bypass
Remove signature verification by setting algorithm to "none"
Easy
High Impact
🔄
Algorithm Confusion
Convert asymmetric algorithms (RS256/RS384/RS512) to symmetric (HS256/HS384/HS512) using public key as HMAC secret
Medium
High Impact
Header Injection Attacks
💉
Kid Parameter Injection
SQL injection, path traversal, command injection via kid parameter
Medium
High Impact
🌐
JKU/X5U Manipulation
URL manipulation attacks for key injection and SSRF
Hard
Critical
🔑
JWK Header Injection
Embed malicious public key directly in JWT header
Medium
Critical
Payload Manipulation
⬆️
Privilege Escalation
Role and permission bypass through payload manipulation
Medium
Critical
🎭
Claim Spoofing
Manipulate user identity and authorization claims
Easy
High Impact
JWT Token to Edit
Signature Options
Payload
Add Common Claims:
Signature Options
💡 Click to generate a new RSA-2048 key pair for testing
📋 Share this public key with token recipients for verification