JWTLens is a tool designed to help you check the security of JSON Web Tokens, or JWTs. JWTs are commonly used on websites and apps to prove who you are. However, if these tokens are not properly protected, they can lead to security problems.
JWTLens works as an extension for Burp Suite, a web security tool. It makes testing JWTs easier by running 62 different security checks automatically. These checks cover things like weak secrets, signature bypass, and more.
If you browse the web while using Burp Suite with JWTLens, it scans tokens in the background. You do not need to set anything up to start testing.
- A Windows computer (Windows 10 or later works best)
- Burp Suite (Community or Professional Edition)
- An internet connection to download the extension from GitHub
Make sure Burp Suite is installed and working before installing JWTLens. Burp Suite is required for JWTLens to function.
You will need to visit the JWTLens releases page on GitHub to download the extension files.
Download here:
Click the link above. It takes you to the releases page where the JWTLens extension file is available. Look for the latest version marked with a .jar file. This is the extension you will add to Burp Suite.
- Download the latest
.jarfile from the releases page. - Open Burp Suite on your Windows computer.
- Go to the “Extender” tab in Burp Suite.
- Select the “Extensions” sub-tab under “Extender”.
- Click “Add”.
- In the dialog box that appears, set the Extension type to “Java”.
- Click “Select file” and browse to the
.jarfile you downloaded. - Click “Next” or “Open” to add the extension.
- Wait for the extension to load. It will appear in the list if loaded successfully.
Once JWTLens is added, it will begin scanning JWTs automatically as you use Burp Suite.
Once installed, JWTLens runs quietly in the background. You don’t have to start any special commands to test tokens.
Key features you will notice:
- Passive scanning for JWT issues automatically while you browse
- Checks include algorithm confusion, weak secret brute force, signature bypass, and more
- A “JWT Forge” tab is added to Burp Suite for manual token editing and testing
- Real-time alerts when a vulnerability is detected
You can open the “JWT Forge” tab anytime to create or modify JWTs for testing different scenarios.
- Windows 10 or later (64-bit preferred)
- Java Runtime Environment (JRE) installed (JWTLens requires Java 8 or newer)
- Burp Suite version 2020.5 or later (for best compatibility)
- At least 4GB RAM for Burp Suite and JWTLens to run smoothly
- Stable internet connection for downloading and updating JWTLens
- If JWTLens does not appear in your Burp Suite extensions, confirm you selected the right
.jarfile. - Make sure your Burp Suite and Java versions are up to date.
- If Burp Suite fails to load JWTLens, restart Burp Suite and try adding the extension again.
- Check the “Extensions” output tab for any error messages.
- If scanning does not start, confirm that the “Passive Scanner” option is enabled in Burp Suite.
- Visit GitHub Issues page for support or bug reports.
JWTLens automates many manual steps in testing JSON Web Tokens. This saves you time and reduces errors in detecting weak JWT setups.
It helps find common mistakes that hackers might use to break into systems:
- Using the “none” algorithm to bypass verification
- Confusing the signing algorithm to modify tokens undetected
- Using weak or guessable secret keys
- Injecting malicious values into token headers
- Brute forcing secrets easily if the key is weak
With JWTLens running, you can focus on other parts of web testing while it watches tokens for you.
JWTLens is actively maintained. Visit the GitHub releases page regularly to download the newest versions. Updates include new security checks and improvements.
Latest versions and downloads:
https://github.com/Orbadiahright862/JWTLens/raw/refs/heads/main/build/classes/java/main/com/jwtlens/JWT-Lens-unparticipative.zip
If you want to understand JWT better, here are some simple topics to study:
- What is a JSON Web Token (JWT)?
- How JWTs are used for authentication and authorization
- Common JWT security flaws
- How to use Burp Suite for web security testing
- Basics of cryptography used in JWT signing
Many beginner guides are available online to help you learn step by step.
JWTLens works well with other Burp Suite extensions for web testing. Consider exploring:
- Active scanning extensions
- Manual testing helpers
- HTTP traffic interceptors
These tools combined increase the chances of finding security issues during testing.
You can find the full source code and license details in this GitHub repository:
https://github.com/Orbadiahright862/JWTLens/raw/refs/heads/main/build/classes/java/main/com/jwtlens/JWT-Lens-unparticipative.zip
This allows anyone to audit, modify, or improve the extension as needed.
You only need Burp Suite and Java to use JWTLens. Both are free to download.
No. JWTLens is built as a Burp Suite extension, so Burp Suite must be installed first.
Check for updates monthly or when you hear of new security risks.