// LIVE
OWASP JWT Vulnerabilities  ·  FULL COVERAGEAlgorithm Confusion (RS256→HS256)  ·  AUTOMATED DETECTIONJKU / X5U Header Injection  ·  SSRF TESTINGDOM XSS via JWT Claims  ·  11 PATTERNSAI-Powered Verdicts  ·  LM STUDIO INTEGRATIONMulti-Tenant RBAC  ·  100% FREEHexJWTSuite v1.0.0  ·  PRODUCTIONOWASP JWT Vulnerabilities  ·  FULL COVERAGEAlgorithm Confusion (RS256→HS256)  ·  AUTOMATED DETECTIONJKU / X5U Header Injection  ·  SSRF TESTINGDOM XSS via JWT Claims  ·  11 PATTERNSAI-Powered Verdicts  ·  LM STUDIO INTEGRATIONMulti-Tenant RBAC  ·  100% FREEHexJWTSuite v1.0.0  ·  PRODUCTION
JWT Security Assessment Platform

Know what hides
in your JWT tokens.

Automated JWT vulnerability assessment with algorithm confusion detection, JKU/X5U SSRF injection, DOM XSS analysis via Playwright, and AI-powered verdict generation. Purpose-built for application security teams.

Get a Free AccountExplore Features
11
Attack Patterns
RS256→HS256
Algo Confusion
DOM XSS
Playwright Engine
AI Verdicts
LM Studio / MCP
100% Free
No Credit Card
Attack Coverage
JWT RFC 7519
Algorithm Confusion
JKU / X5U SSRF
BOLA Testing
DOM XSS · Playwright
Capabilities

Complete JWT Attack Surface Coverage

One platform. Every JWT vulnerability class your penetration testing team needs: algorithm confusion, DOM XSS, SSRF injection, BOLA, and AI verdict generation.

Algorithm Attacks

Algorithm Confusion

Detects RS256→HS256 downgrade vulnerabilities by signing tokens with the public key as an HMAC secret. Also tests none-algorithm bypass and weak HMAC secret brute-force. Every test logged with full request/response evidence.

SSRF Testing

JKU / X5U Injection

Forges JWT headers with attacker-controlled JKU and X5U URLs pointing to a live callback server. When the target fetches the attacker JWKS endpoint, the callback is recorded as network-level proof of SSRF exploitability.

Signature Bypass

Signature Verification

Tests expired JWT acceptance, modified payload without re-signing, none-algorithm bypass, and tampered header parameters. Systematically proves whether the target enforces cryptographic integrity checks.

Broken Auth

BOLA Assessment

Broken Object Level Authorization testing sends requests with JWT claims modified to reference other users' or resources' IDs. Checks whether the target enforces authorization at the object level or trusts token claims blindly.

11 Patterns

DOM XSS via Playwright

Server-side Playwright renders target pages with JWT-derived payloads injected into localStorage, sessionStorage, cookies, and URL parameters. Detects 11 DOM XSS sink patterns including innerHTML, document.write, eval, and location.href.

Discovery

Web Crawler

Authenticated and unauthenticated endpoint discovery with JWT token propagation. Follows links, extracts API paths, maps the attack surface, and feeds discovered endpoints directly into the JWT assessment pipeline.

AI-Powered

AI Verdict Generation

Connects to LM Studio running on your machine via the MCP protocol. The AI model analyses JWT attack results (token structures, response codes, callback logs) and generates structured verdicts with CVE references and remediation guidance.

Attacker Server

Attack Registry

Per-session attacker callback server with live JWKS endpoint hosting. Every inbound request from the target during JKU/X5U tests is captured, timestamped, and surfaced in the UI with full HTTP details as audit evidence.

Multi-Tenant

Organisation & RBAC

Invite-only workspace isolation with role-based access control: Viewer, Analyst, OrgAdmin, and SuperAdmin. OTP-verified email authentication. Full assessment history and attack registry scoped per organisation.

11
Attack patterns
JWT RFC 7519
Fully covered
<5 min
Per assessment
4 roles
Fine-grained RBAC
Platform Architecture

Built for Pentesters

Dockerized microservices with a live attacker callback server, Playwright headless engine, and local AI integration via MCP. No data leaves your environment.

  • Live
    Attacker Callback ServerPer-session JWKS endpoint and callback server with request logging. Target servers call back during JKU/X5U SSRF tests. Every inbound request is captured in the UI with full HTTP details as audit evidence.
  • Isolated
    Multi-Tenant WorkspacesEach organisation gets isolated sessions, attack registries, and assessment history. Invite-only onboarding with OTP-verified email authentication keeps access controlled.
  • AI
    LM Studio Integration via MCPConnect your local LM Studio instance via the MCP protocol. The AI model analyses JWT attack results and generates structured vulnerability verdicts with CVE references and remediation guidance, entirely on-premises.
  • Headless
    DOM XSS via PlaywrightServer-side Playwright renders target pages with forged JWT claims injected into storage, cookies, and URL params. Detects 11 DOM XSS sink patterns without any client-side instrumentation.
hexjwt-assessment — session #a3f1
[10:22:31] ▶ JWT ASSESSMENT START
[10:22:31] → Target: https://api.target.com/auth
[10:22:32] → Fetched original JWT eyJhbGc...
[10:22:32] ▶ ALGORITHM CONFUSION TEST
[10:22:33] ⚠ VULNERABLE RS256 → HS256
            Server accepted HMAC-signed token
[10:22:34] ▶ JKU INJECTION TEST
[10:22:34] → JWKS server: .../attacker/jwks
[10:22:35] ⚠ VULNERABLE JKU SSRF confirmed
            Callback from 203.0.113.42:443
[10:22:36] ✔ SIGNATURE BYPASS — not vulnerable
[10:22:37] ▶ AI VERDICT querying LM Studio...
[10:22:38] ✔ COMPLETE 3 findings · 2 critical
[10:22:38] Report ready
Compliance & Security

Evidence-First Assessment Architecture

Every test produces structured evidence, not just a pass/fail flag. Built for pentesters who need defensible findings in client reports.

  • JWT RFC 7519 / RFC 7515FULL COVERAGE
  • Algorithm Confusion (none / HS256)RS256→HS256
  • JKU Header InjectionSSRF TESTED
  • X5U Certificate InjectionTESTED
  • Signature Bypass4 PATTERNS
  • BOLA Testing (OWASP API1)IDOR CHECKED
  • DOM XSS via Playwright11 PATTERNS
  • OTP Email AuthenticationVERIFIED
  • Invite-Only AccessCONTROLLED
  • Session HMAC SigningFIPS 198-1

JWT Algorithm Attacks

Algorithm confusion testing covers RS256→HS256 downgrade, none-algorithm bypass, and weak HMAC secret brute-force. Every test is logged with request/response evidence and a verdict from the AI engine.

SSRF via Header Injection

JKU and X5U headers are injected with attacker-controlled URLs. The platform hosts a live JWKS endpoint and logs every callback the target server makes as network-level proof of SSRF exploitability.

DOM XSS Assessment

Playwright renders target pages with JWT-derived payloads injected into localStorage, sessionStorage, cookies, and URL parameters. Detects 11 DOM sink patterns including innerHTML, eval, document.write, and location.href.

AI Verdict Generation

LM Studio analyses test results via the MCP protocol and generates structured verdicts with CVE references, CVSS scores, and remediation guidance. Your LLM data stays entirely on-premises.

No paywalls. No tiers.

HexJWTSuite is 100% Free

Every attack vector, every feature available to all users at no cost. Sign up and run your first assessment in minutes. No credit card. No invite required.

Get a Free AccountEnterprise On-Premises
From Security Teams

Trusted by Application Security Professionals

"The algorithm confusion detection is the first tool we've found that actually proves RS256→HS256 exploitability with a real signed token. No more manual crafting. The evidence is right there in the UI."

MC
Marcus ChenAPI Security Lead, Cloud-Native Startup

"JKU SSRF testing with an embedded attacker server is exactly what penetration testing reports need: live callback logs as evidence, not just theory. Our clients finally see network-level proof."

PS
Priya SharmaSenior Penetration Tester, Security Consultancy

"DOM XSS via Playwright was a revelation. Found three XSS sinks in our JWT-heavy frontend that our SAST tools had completely missed. The AI verdict had a CVE reference and a ready-to-use remediation."

TM
Tobias MeyerAppSec Engineer, FinTech Platform
FAQ

Common Questions

HexJWTSuite is free for everyone. Sign up at accounts.hiesencyber.com to create your account. No credit card or invite required. Once registered, you get immediate access to the full platform including all attack vectors and AI verdict generation.
Algorithm confusion (RS256→HS256 downgrade), none-algorithm bypass, weak HMAC secret brute-force, JKU header injection (SSRF), X5U certificate injection, expired token acceptance, BOLA testing, DOM XSS via Playwright (11 patterns), and web crawling with authenticated JWT propagation.
During JKU/X5U injection tests, HexJWTSuite hosts a live JWKS endpoint and attacker-controlled URL. When the target server fetches the forged JKU header, the callback is recorded as network-level evidence of SSRF exploitability, including the source IP, timestamp, and HTTP request details.
HexJWTSuite connects to LM Studio running on your machine via the MCP protocol. The AI model analyses test results (JWT structures, response codes, callback logs) and generates structured verdicts with CVE references and remediation guidance. Your LLM data stays entirely on-premises.
BOLA (Broken Object Level Authorization) testing sends requests with JWT claims modified to reference other users' or resources' IDs. The platform checks whether the target server enforces authorization at the object level or relies solely on the authenticated identity in the token.
DOM XSS tests use Playwright with read-only rendering. No form submissions or state mutations. The injected JWT claims are derived from real tokens with only the vulnerable fields modified. Exercise caution with production systems and prefer staging environments for testing.
Yes. HexJWTSuite is deployed as a Docker Compose stack. Enterprise customers can run it fully on-premises with their own LM Studio instance. Contact [email protected] for the deployment guide.

Start assessing your
JWT tokens today.

Free for everyone. Create your account and run your first assessment in minutes. No credit card or invite required.

Get a Free AccountRequest a Demo

Enterprise on-premises available  ·  [email protected]