Movatterモバイル変換

[0]ホーム
URL:

My account
ResearchAcademy
My accountCustomersAboutBlogCareersLegalContactResellers
 Back to documentation home

Professional and Community Edition

ProfessionalCommunity Edition

Working with JWTs in Burp Suite

  • Last updated:November 18, 2025

  • Read time:2 Minutes

JSON web tokens (JWTs) are a standard format for sending cryptographically signed JSON data between systems. They're commonly used in authentication, session management, and access control mechanisms. This means that if an attacker can successfully modify a JWT, they may be able to escalate their own privileges or impersonate other users.

You can use Burp Inspector to view and decode JWTs. You can then use the JWT Editor extension to:

  1. Generate cryptographic signing keys.
  2. Edit the JWT.
  3. Resign the token with a valid signature that corresponds to the edited JWT.

You can follow along with the process below using ourJWT authentication bypass via unverified signature lab.

Before you start

Install theJWT Editor extension. For more information, seeInstalling extensions from the BApp Store.

Viewing JWTs

  1. Identify a request with a JWT that you want to investigate further. Look for the highlighted requests inProxy > HTTP history, these are automatically flagged by the JWT Editor extension.

    Identify a request with a JWT

  2. To view the JWT contents, highlight sections of the token in turn. Notice that the content is automatically decoded in theInspector panel.

    Viewing JWTs
  3. Review the contents of the JWT in theInspector panel, to identify interesting information and determine any modifications that you want to make.

Editing JWTs

To edit a JWT using the JWT Editor extension:

  1. Right-click the request with the JWT and selectSend to Repeater.
  2. In the request panel, go to theJSON Web Token tab.
  3. Edit the JSON data as required in theHeader andPayload fields.
  4. ClickSign. A new dialog opens.
  5. In the dialog, select the appropriate signing key, then clickOK. The JWT is re-signed to correspond with the new values in the header and payload. If you haven't added a signing key, follow the instructions below.

Adding a JWT signing key

To add a signing key to Burp using the JWT Editor extension:

  1. Go to theJWT Editor Keys tab.
  2. Click the button for the type of key that you want to add. For example,New Symmetric Key. A new dialog opens.

  3. In the dialog, add the new key:

    • ClickGenerate to create a new key.
    • Alternatively, paste an existing key into the dialog.
  4. Edit the key as required.
  5. ClickOK to save the key.

Related pages

[8]ページ先頭
©2009-2025 Movatter.jp