Skip to content

Embedded JWK attack issue ? + Recommandation #6

New issue
New issue
Open
Open
Embedded JWK attack issue ? + Recommandation#6
Assignees
amrelsagaei
Labels
bugSomething isn't working
@TounSec

Description

@TounSec
TounSec
opened on Jan 24, 2026

Hi

To start thanks for your plugin 😄

Description

I just used the “Embedded JWK” attack for the “JWT authentication bypass via jwk header injection” challenge on Portswigger Academy. I don't know if it's a problem with how I'm using it or if the attack has a real issue, but I couldn't solve it with it and had to use jwt_tool. I think there's a problem with the signature.

Processus without saved key

Image Image Image

Processus with saved key

Image Image

Recommendation

I would like to suggest two additions:

The first is the ability to copy the token from JWT Editor in the same way as you can do for Header, Payload, and Signature.

Image

The second is to highlight requests that contain a JWT in a specific color (in the same way that JWT Edit did on Burp Suite).

Thanks in advance for your response !

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions