TokenNinja

Stealthy JWT security testing toolkit - Auto-detect, decode, analyze & test JWT vulnerabilities for authorized pentesting & bug bounty. Detailed Description TokenNinja - Professional JWT Security Testing Toolkit A powerful DevTools extension for security researchers, penetration testers, and bug bounty hunters to identify and test JWT (JSON Web Token) vulnerabilities. KEY FEATURES: Auto-Detection • Automatically scans pages for JWTs in cookies, localStorage, sessionStorage, headers, and URLs • Intercepts Authorization headers from XHR/Fetch requests • Supports Next.js, Nuxt.js, Redux, and other modern frameworks Token Analysis • Decode JWT header, payload, and signature • Identify security issues (weak algorithms, missing expiration, exposed secrets) • Visual security risk indicators Attack Generation (80+ Attack Vectors) • Algorithm None - Test for unsigned token acceptance • Algorithm Confusion - RS256 to HS256 key confusion attacks • Signature Stripping - Empty and malformed signature tests • Expiry Manipulation - Extend token lifetime, remove expiration • Key ID (kid) Injection - Path traversal, SQL injection, command injection • JKU/X5U Injection - Remote key URL manipulation • Privilege Escalation - Role, admin, and permission tampering • Issuer/Audience Bypass - iss and aud claim manipulation • Type Confusion - JWT header type attacks One-Click Testing • Test modified tokens against target endpoints • Instant vulnerability detection feedback • Copy attack payloads to clipboard IMPORTANT: This tool is designed for AUTHORIZED security testing only. Use responsibly on systems you have permission to test. Ideal for: • Penetration testing engagements • Bug bounty programs • Security research • CTF competitions • Educational purposes Access via browser popup or DevTools panel for an enhanced testing experience. Version 1.0.0 Category Developer Tools Tags/Keywords JWT, JSON Web Token, security, penetration testing, bug bounty, vulnerability scanner, token decoder, authentication, cybersecurity, devtools