A tool to scan JWT tokens for security vulnerabilities
Project description
๐ JWT Security Scanner
Analyze JSON Web Tokens (JWTs) for common security vulnerabilities and generate professional security reports.
๐ฆ Available on PyPI
Install the tool directly:
pip install jwt-security-scanner
Run the scanner:
jwt-scanner
Windows Users: If
jwt-scanneris not recognized, run:
py -m jwt_scanner.scanner
๐ Project Overview
JWT (JSON Web Token) is widely used for authentication in modern web applications. However, insecure JWT implementations can expose applications to authentication bypass, privilege escalation, token forgery, and unauthorized access.
This project is a Python-based command-line security scanner that analyzes JWTs for common security misconfigurations and generates detailed security reports with remediation recommendations.
๐ Features
- โ Detects 5 common JWT security vulnerability categories
- ๐จ Beautiful colored terminal output using Rich
- ๐ Generates professional HTML security reports
- ๐ Generates text reports for documentation
- ๐ก Provides security recommendations
- โก Simple command-line interface
- ๐ฆ Available as a PyPI package
๐ Security Checks
| Security Check | Description | Risk |
|---|---|---|
| ๐ Algorithm Check | Detects insecure none algorithm usage |
๐ด Critical |
| ๐ Weak Secret Key | Detects commonly used weak HMAC secrets | ๐ด Critical |
| โณ Expiry Check | Detects missing or expired tokens | ๐ High |
| ๐ Sensitive Data | Detects passwords or confidential data in payload | ๐ High |
| ๐ก Token Claims | Checks missing iss, sub, aud, iat claims |
๐ก Medium |
โ๏ธ Technologies Used
- Python 3
- PyJWT
- Rich
- Colorama
- Requests
๐ป Installation
Install from PyPI
pip install jwt-security-scanner
If pip is unavailable:
py -m pip install jwt-security-scanner
โถ๏ธ Usage
Launch the scanner:
jwt-scanner
Or, if the command is not recognized on Windows:
py -m jwt_scanner.scanner
Follow the prompts to paste a JWT token. The scanner will automatically:
- Decode the token
- Perform security analysis
- Display findings
- Generate HTML and TXT reports
๐ Example Output
JWT Security Scanner
SECURITY FINDINGS
CRITICAL Weak Secret Key Found
HIGH No Expiration Time
HIGH Sensitive Data Detected
SECURITY SUMMARY
Critical : 1
High : 2
Medium : 0
Low : 5
Verdict:
CRITICAL VULNERABILITIES FOUND
๐ Reports Generated
Every scan automatically generates:
๐ Text Report
- Plain text format
- Easy to archive
- Useful for documentation
๐ HTML Report
- Modern responsive design
- Severity dashboard
- Findings table
- Token information
- Security recommendations
๐ What I Learned
- JWT Architecture (Header โข Payload โข Signature)
- Digital Signatures
- HMAC & SHA-256
- HS256 vs RS256
- Base64URL Encoding
- JWT Security Best Practices
- Python Security Tool Development
- HTML Report Generation
- Python Package Publishing (PyPI)
๐ Real-World Application
JWT security is an important part of modern web application security. During security assessments, penetration testers and application security engineers review JWT implementations to identify weaknesses such as insecure algorithms, weak signing secrets, missing expiration, and improper token validation.
This tool helps automate those checks for learning and testing purposes.
๐ Project Structure
JWT-Security-Scanner/
โ
โโโ jwt_scanner/
โ โโโ __init__.py
โ โโโ scanner.py
โโโ setup.py
โโโ pyproject.toml
โโโ requirements.txt
โโโ README.md
โโโ .gitignore
๐ Running from Source
Clone the repository:
git clone https://github.com/tabassumfathima28/JWT-Security-Scanner.git
cd JWT-Security-Scanner
Install dependencies:
pip install -r requirements.txt
Run:
py jwt_scanner\scanner.py
๐ Related Project
๐ก AI-Powered SIEM Home Lab
A complete SIEM lab built using Elastic SIEM and Tines automation.
https://github.com/tabassumfathima28/SIEM-HOME-LAB-PROJECT
๐ฉโ๐ป Author
Tabassum Fathima
Cybersecurity Undergraduate | Aspiring SOC Analyst
- GitHub: https://github.com/tabassumfathima28
- LinkedIn: https://www.linkedin.com/in/tabassumfathima2812/
โญ Support
If you found this project useful, consider giving it a โญ on GitHub!
"Security is not a product, but a process." โ Bruce Schneier
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file jwt_security_scanner-1.0.1.tar.gz.
File metadata
- Download URL: jwt_security_scanner-1.0.1.tar.gz
- Upload date:
- Size: 12.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4bd3ce9a4537081fd3268c5f68e9eb21deeee0ee2e20e1c5baa69155b9b10ef8
|
|
| MD5 |
999722a625556fea63a20827fd420c3c
|
|
| BLAKE2b-256 |
dc6e6035e4304a2991cb30c4f850fd15cb0ed0d5a5a0174e0eff9cad333d943f
|
File details
Details for the file jwt_security_scanner-1.0.1-py3-none-any.whl.
File metadata
- Download URL: jwt_security_scanner-1.0.1-py3-none-any.whl
- Upload date:
- Size: 10.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9cde214de7741fef4fbcae9ac9fa939abfb07af8b081677954d591b4ea754906
|
|
| MD5 |
c285067c1cc25cf16fa53bd0fccb0fd9
|
|
| BLAKE2b-256 |
a1cd911a90edbd8ee39557481338d4dfba84e9c7b3aae92cdc68956630a5c9d0
|
