Jwt Tool - A Toolkit For Testing, Tweaking Together With Non Bad Json Spider Web Tokens
jwt_tool.py is a toolkit for validating, forging together with cracking JWTs (JSON Web Tokens).Its functionality includes:
- Checking the validity of a token
- Testing for the RS/HS256 world cardinal mismatch vulnerability
- Testing for the alg=None signature-bypass vulnerability
- Testing the validity of a secret/key/key file
- Identifying weak keys via a High-speed Dictionary Attack
- Forging novel token header together with payload values together with creating a novel signature alongside the key or via or thence other ready on method
Audience
This tool is written for pentesters, who bespeak to cheque the forcefulness of the tokens inward use, together with their susceptibility to known attacks.
It may also live on useful for developers who are using JWTs inward projects, but would similar to examine for stability together with for known vulnerabilities, when using forged tokens.
Requirements
This tool is written natively inward Python 2.x using the mutual libraries.
Customised wordlists are recommended for the Dictionary Attack option.
As a speed reference, an Intel i5 laptop tin examine 1,000,000 passwords per instant on HMAC-SHA256 signing. YMMV.
Installation
Installation is only a instance of downloading the
jwt_tool.py file (or git cloneing the repo).(
chmod the file likewise if yous desire to add together it to your $PATH together with telephone telephone it from anywhere.)Usage
$ python jwt_tool.py (filename) The kickoff declaration should live on the JWT itself, followed yesteryear a filename/filepath (for bully the token, or for utilisation every bit a cardinal file).
For example:
$ python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw /usr/share/wordlists/rockyou.txtThe toolkit volition validate the token together with listing the header together with payload values.
It volition together with thence render a carte du jour of your available options.
Note: signing the token is currently supported using HS256, HS384, HS512 algorithms
Input is inward either measure or url-safe JWT format, together with the resulting tokens are output inward both formats for your ease of use.
Further Reading
- A great intro to JWTs - https://jwt.io/introduction/
- Influenza A virus subtype H5N1 lot of the inspiration for this tool comes from the vulnerabilities discovered yesteryear Tim McLean.
Check out his spider web log on JWT weaknesses here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
- My introduction to using this toolkit, together with a chip of the history behind it tin live on constitute on my spider web log - https://www.ticarpi.com/introducing-jwt-tool/
- Influenza A virus subtype H5N1 whole bunch of exercises (7 at fourth dimension of writing) for testing JWT vulnerabilities are provided yesteryear Pentesterlab. I'd highly recommend a PRO subscription if yous are interested inward Web App Pentesting.
- JWT (alg=None vulnerability) exercise
- JWT_II (RS/HS256 world cardinal mismatch vulnerability) exercise
- JWT_III (key-id header champaign non-sanitisation vulnerability) exercise
- and only caput on over to https://pentesterlab.com/exercises to search for the others!
Tips
Regex for finding JWTs inward Burp Search
(make certain 'Case sensitive' together with 'Regex' options are ticked)
[= ]ey[A-Za-z0-9_-]*\.[A-Za-z0-9._-]* - url-safe JWT version[= ]ey[A-Za-z0-9_\/+-]*\.[A-Za-z0-9._\/+-]* - all JWT versions (higher possibility of faux positives)