🛡️ JWT Claim Probe - Advanced JWT Security Testing Extension

A powerful Burp Suite extension for automated JWT vulnerability detection and exploitation

Discover JWT implementation flaws before attackers do

🎯 What is JWT Claim Probe?

JWT Claim Probe is a Burp Suite extension designed to automatically detect and exploit common JWT (JSON Web Token) vulnerabilities. It intercepts HTTP requests, extracts JWT tokens from various locations, modifies claims, and tests multiple attack vectors to identify security weaknesses in real-time.

Key Features

🔍 Automatic JWT Detection - Finds tokens in Authorization headers and cookies
⚡ Real-time Testing - Tests every request as it flows through Burp's proxy
🎯 Multiple Attack Vectors - Tests signature bypass, algorithm confusion, and key attacks
📊 Smart Issue Reporting - Creates persistent security issues in Burp's Issues tab
🛡️ Duplicate Prevention - Intelligent deduplication to reduce noise
🎛️ Path Filtering - Focus testing on specific endpoints
⚙️ Highly Configurable - Customizable claims, attack types, and response validation

🚀 Attack Vectors

1. Signature Bypass (modify-only)

What it tests: Modifies JWT claims without re-signing the token
Detects: Applications that don't verify JWT signatures
Risk: High - Complete authentication bypass

2. Algorithm None Attack (alg-none)

What it tests: Sets JWT algorithm to 'none' and removes signature
Detects: Applications accepting unsigned tokens
Risk: High - Removes all cryptographic protection

3. HMAC Key Confusion (hs256-empty-key)

What it tests: Signs JWT with an empty HMAC key
Detects: Weak key management or predictable keys
Risk: High - Allows token forgery

📦 Installation

Prerequisites

Burp Suite Professional or Community Edition
Java 17+ (required for building)
Gradle (for building from source)

Option 1: Download Pre-built JAR

Download burp-jwt-claim-probe-1.0.0.jar from releases
In Burp Suite: Extensions → Add → Select JAR file
Load the downloaded JAR file

Option 2: Build from Source

# Clone the repository
git clone <repository-url>
cd jwt_authorized

# Build the extension
./gradlew clean build

# The JAR will be created at:
# build/libs/burp-jwt-claim-probe-1.0.0.jar

Build Requirements:

Java 17 or higher
Gradle (wrapper included)

🛠️ Configuration

Basic Settings

Enable probe: Toggle the extension on/off
Check Authorization: Test Bearer tokens in Authorization headers
Check Cookie: Test tokens in cookies (specify cookie name)
Attack Selection: Choose which attack vectors to test

Claim Configuration

Claim Name: The JWT claim to modify (e.g., role, admin, permissions)
Claim Value: The value to inject (e.g., admin, true, 1)
Claim Type: Data type - String, Boolean, Number, or Null

Path Filtering 🎯

Control which endpoints get tested:

Enable filtering: ✓
Include paths: /api/auth, /admin, /dashboard
Exclude paths: /health, /static, /assets

Examples:

Include: /api/ (test only API endpoints)
Exclude: /health, /metrics (skip monitoring endpoints)
Patterns: /admin/*, *.php, /api/v* (wildcard support)

Advanced Settings

HTTP OK Status: Expected status code for successful exploitation (default: 200)
Prevent Duplicates: Avoid reporting the same issue multiple times
Duplicate Timeout: Time window for duplicate prevention (default: 60 minutes)

🎮 Usage

Quick Start

Install the extension in Burp Suite
Navigate to the "JWT Claim Probe" tab
Configure your target claim (e.g., admin → true)
Enable desired attack vectors
Browse your target application through Burp's proxy
Monitor the Issues tab for discovered vulnerabilities

Configuration Examples

Test Admin Privilege Escalation

Claim Name: admin
Claim Value: true
Claim Type: Boolean
Attacks: ✓ All enabled

Test Role-based Access Control

Claim Name: role
Claim Value: administrator
Claim Type: String
Include Paths: /admin, /dashboard

Focus on API Endpoints

Include Paths: /api/
Exclude Paths: /api/health, /api/docs
Methods: GET, POST, PUT, DELETE

📊 Understanding Results

Issue Types in Burp

JWT Signature Not Verified - Application accepts modified tokens
JWT Algorithm None Attack - Application accepts unsigned tokens
JWT HMAC Key Confusion - Application vulnerable to key attacks

Log Output Examples

[VULN][modify-only] GET http://app.com/admin accepted modified JWT (claim admin=true) at Authorization
[INFO] Duplicate issue suppressed: alg-none for http://app.com/admin
[DEBUG] Path filtered out: /health

Persistent Issues

All findings are automatically created as security issues in Burp's Issues tab with:

Detailed descriptions of the vulnerability
Request/Response evidence
Remediation guidance
Severity ratings (HIGH for all JWT bypasses)

🔧 Development

Project Structure

src/main/java/jwtprobe/
├── JwtClaimProbeExtension.java    # Main extension entry point
├── ProxyJwtHandler.java           # Request interception and testing
├── JwtUtils.java                  # JWT manipulation utilities
├── Settings.java                  # Configuration management
└── SettingsPanel.java             # User interface

Building

# Clean build
./gradlew clean build

# Build and run tests
./gradlew build test

# Create JAR only
./gradlew jar

Dependencies

Burp Montoya API 2024.11 - Modern Burp extension API
Java Standard Library - Core functionality

🛡️ Security Considerations

Responsible Usage

✅ Authorized Testing Only - Only test applications you own or have permission to test
✅ Defensive Security - Use for vulnerability assessment and security hardening
❌ No Malicious Use - Do not use against unauthorized targets

Detection Evasion

The extension includes several features to avoid detection:

Anti-loop Protection - Prevents infinite request loops
Configurable Delays - Built into Burp's request handling
Scope Respect - Only tests URLs in Burp's defined scope

📈 Common JWT Vulnerabilities Detected

Vulnerability	OWASP	CVE Examples	Impact
Signature Bypass	A02:2021	CVE-2022-39227	Authentication Bypass
Algorithm Confusion	A02:2021	CVE-2016-10555	Authentication Bypass
Weak Key Management	A02:2021	CVE-2020-28637	Token Forgery

🤝 Contributing

We welcome contributions! Here's how you can help:

Report Bugs - Open issues for any problems you find
Suggest Features - Share ideas for new attack vectors or improvements
Submit PRs - Contribute code improvements or new features
Documentation - Help improve guides and examples

Development Setup

git clone <repository-url>
cd jwt_authorized
./gradlew build
# Import into your IDE as a Gradle project

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

PortSwigger for the excellent Burp Suite platform and Montoya API
JWT Security Community for research and vulnerability disclosure
Security Researchers who continue to find and report JWT implementation flaws

📞 Support

Issues: Report bugs and feature requests via GitHub Issues
Security: For security-related concerns, please report responsibly
Community: Join discussions about JWT security best practices

Made with ❤️ for the security community

Help make JWT implementations more secure, one test at a time

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
build		build
gradle/wrapper		gradle/wrapper
src/main/java/jwtprobe		src/main/java/jwtprobe
.gitignore		.gitignore
CLAUDE.md		CLAUDE.md
README.md		README.md
build.gradle		build.gradle
gradlew		gradlew
gradlew.bat		gradlew.bat
settings.gradle		settings.gradle

marcrow/jwt_probe

Folders and files

Latest commit

History

Repository files navigation