JWT Authorization Bypass Testbed

https://403.brutelogic.net/authz/jwt/none         # alg:None, Array Wrapping
https://403.brutelogic.net/authz/jwt/nosig        # No Signature Verification
https://403.brutelogic.net/authz/jwt/iss          # iss Spoofing [?technique=spoof|array]
https://403.brutelogic.net/authz/jwt/iss-ssrf     # iss URL Injection (SSRF)
https://403.brutelogic.net/authz/jwt/aud          # aud Removal [?technique=removal|wildcard|array]
https://403.brutelogic.net/authz/jwt/relay        # Cross-Service Relay
https://403.brutelogic.net/authz/jwt/jti          # jti Replay Bypass [?technique=removal|null|sqli]
https://403.brutelogic.net/authz/jwt/kid          # kid Path Traversal + URL Injection
https://403.brutelogic.net/authz/jwt/jku          # jku Injection
https://403.brutelogic.net/authz/jwt/x5u          # x5u Injection
https://403.brutelogic.net/authz/jwt/x5c          # x5c Injection
https://403.brutelogic.net/authz/jwt/x5t          # x5t + x5c Combined
https://403.brutelogic.net/authz/jwt/jwk          # jwk Injection + No-alg Confusion
https://403.brutelogic.net/authz/jwt/confusion    # RS256→HS256 + Whitespace Bypass
https://403.brutelogic.net/authz/jwt/weak         # Weak Secret
https://403.brutelogic.net/authz/jwt/claims       # Claim Enumeration
https://403.brutelogic.net/authz/jwt/format       # JWT Format Confusion
https://403.brutelogic.net/authz/jwt/jwe          # Sign/Encrypt Confusion

© 2026 Brute Logic — All rights reserved.