Algorithm Confusion (RS256→HS256)
Tests whether the server accepts a forged HS256 token signed with the public RS256 key — one of the most impactful JWT bugs.
ANALYSISEXPLOIT
Free account required
JWT Analyzer
Decode JWT tokens and test for algorithm confusion, weak secrets, and common exploits.
Decode any JWT and immediately test for the most impactful vulnerabilities: algorithm confusion (RS256 to HS256), the none algorithm bypass, weak HMAC secrets, expired but accepted tokens, and kid injection. Used in thousands of bug bounty reports.
What it detects
Algorithm Confusion (RS256→HS256)
None Algorithm Bypass
Weak HMAC Secrets
Insecure Claims
Detection capabilities
What JWT Analyzer finds
None Algorithm Bypass
Generates a none-algorithm token and checks if the issuer accepts it without a valid signature.
Weak HMAC Secrets
Attempts to crack HS256/HS384/HS512 tokens against a curated wordlist of common secrets.
Insecure Claims
Flags missing exp, iss, aud claims and tokens with excessive lifetime (>24 hours).
Step-by-step guide
How to use JWT Analyzer
Paste your JWT
Drop in any JWT token. The tool decodes header, payload, and signature without any server-side processing.
Select attack tests
Choose which vulnerabilities to test: algorithm confusion, none bypass, secret brute-force, or claim injection.
Get exploit payload
For confirmed vulnerabilities, the tool generates a ready-to-use forged token and curl command for your PoC.
Keep going
Related tools
ANALYSIS
Code Analysis
Scan source code for hardcoded secrets, insecure patterns, and injection sinks.
Use tool →
EXPLOIT
Payload Forge
Generate context-aware XSS, SQLi, SSRF, and SSTI payloads for security testing.
Use tool →
ANALYSIS
Security Headers
Inspect HTTP security headers and detect missing CSP, HSTS, and clickjacking protections.
Use tool →
RaSEC Platform
Run JWT Analyzer as part of an overnight hunt.
All 8 tools in coordinated sequence
Deterministic reproduction
Copy-paste PoC reports
No credit cardCancel anytimeFree forever tier