{"id":13842909,"url":"https://github.com/aress31/jwtcat","last_synced_at":"2025-04-05T23:09:57.450Z","repository":{"id":20524744,"uuid":"78868202","full_name":"aress31/jwtcat","owner":"aress31","description":"A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner.","archived":false,"fork":false,"pushed_at":"2024-05-03T19:57:26.000Z","size":525,"stargazers_count":291,"open_issues_count":2,"forks_count":48,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-10-21T05:50:15.010Z","etag":null,"topics":["authentication","authorization","bearer-tokens","bruteforce","cracker","cracking","cracking-hashes","cve-2018-1000531","cybersecurity","hs256","jwt","pentest-tool","pentesting","pyjwt","python","signature","token"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aress31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"aress31","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2017-01-13T17:01:43.000Z","updated_at":"2024-10-20T06:37:49.000Z","dependencies_parsed_at":"2024-10-25T19:10:43.442Z","dependency_job_id":"59881b06-0daf-47a5-9070-e0a50b61aa58","html_url":"https://github.com/aress31/jwtcat","commit_stats":{"total_commits":68,"total_committers":11,"mean_commits":6.181818181818182,"dds":"0.22058823529411764","last_synced_commit":"f80f3d9352b82f0e7da504b2ee11f4a61f23c385"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fjwtcat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fjwtcat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fjwtcat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fjwtcat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aress31","download_url":"https://codeload.github.com/aress31/jwtcat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247411235,"owners_count":20934653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","bearer-tokens","bruteforce","cracker","cracking","cracking-hashes","cve-2018-1000531","cybersecurity","hs256","jwt","pentest-tool","pentesting","pyjwt","python","signature","token"],"created_at":"2024-08-04T17:01:50.645Z","updated_at":"2025-04-05T23:09:57.431Z","avatar_url":"https://github.com/aress31.png","language":"Python","funding_links":["https://github.com/sponsors/aress31"],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# jwtcat\n\n[![Language](https://img.shields.io/badge/Lang-Python-blue.svg)](https://www.python.org)\n[![License](https://img.shields.io/badge/License-Apache%202.0-red.svg)](https://opensource.org/licenses/Apache-2.0)\n\n## A CPU-based JSON Web Token (`JWT`) cracker and - _to some extent_ - scanner\n\n`jwtcat` is a `Python script` designed to detect and exploit well-known cryptographic flaws present in JSON Web Token (`JWT`).\n\nThese vulnerabilities, if successfully exploited by an adversary could allow authentication bypass, information disclosure and could ultimately lead to the compromise of an entire information system.\n\nMore information about `JWT` vulnerabilities can be found at:\n\n- \u003chttps://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/\u003e\n\n## Features\n\n- Test against the following vulnerabilitie(s):\n  - [CVE-2018-1000531](https://nvd.nist.gov/vuln/detail/CVE-2015-2951): `JWT` signature bypass due to the use of `None` hashing algorithm (`alg=none`)\n- Guessing attacks against `JWT` private keys **signed with the `HS256` hashing algorithm**:\n  - Brute-force attacks\n  - Wordlist attacks\n\n## Requirements\n\n`jwtcat` is fully written in `Python 3` and **requires a minimum of `Python 3.6`** in addition to the following libraries:\n\n- [coloredlogs](https://pypi.org/project/coloredlogs/)\n- [PyJWT](https://pypi.org/project/PyJWT/)\n- [tqdm](https://pypi.org/project/tqdm/)\n\n## Installation\n\n1. Clone the repository:\n\n   ```bash\n   git clone https://github.com/AresS31/jwtcat\n   cd jwtcat\n   ```\n\n2. (Optional but recommended) Create and activate a new `Python` virtual environment:\n\n   1. Create the virtual environment:\n\n      ```bash\n      python -m venv env\n      ```\n\n   2. Activate the newly created environment:\n\n      - On `POSIX`:\n\n        ```bash\n        source ./env/bin/activate\n        ```\n\n      - On `Windows`:\n\n        ```powershell\n        ./env/Scripts/Activate.ps1\n        ```\n\n3. Install dependencies:\n\n   ```bash\n   python -m pip install -r requirements.txt\n   ```\n\n## Usage\n\n- To list the available options:\n\n  ```bash\n  python jwtcat.py -h\n  ```\n\n- To list available options specific to brute force attacks:\n\n  ```bash\n  python jwtcat.py brute-force -h\n  ```\n\n  ![brute-force-demo](./images/brute-force_demo_cropped.gif)\n\n- To list available options specific to wordlist attacks:\n\n  ```bash\n  python jwtcat.py wordlist -h\n  ```\n\n  ![wordlist-demo](./images/wordlist_demo_cropped.gif)\n\n- To test a `JWT` against [CVE-2018-1000531](https://nvd.nist.gov/vuln/detail/CVE-2015-2951) and `HS256` brute-force attacks:\n\n  ```bash\n  python jwtcat.py vulnerable -h\n  ```\n\n  ![vulnerable-demo](./images/vulnerable_demo_cropped.gif)\n\n## Roadmap\n\n- [ ] Implement additional attack vectors.\n- [ ] Implement support for multithreading or multiprocessing.\n- [ ] Implement support for the `-tF, --token-file` swicth.\n- [ ] Improve the code logic for:\n  - [ ] `TQDM` integration with the `logger`.\n- [ ] Improve the script performances.\n\n## Changelog\n\n### v1.1 - May 2020:\n\n- Added checks to see if `JWT` is signed with `HS256`.\n- Added checks to see if `JWT` is vulnerable to [CVE-2018-1000531](https://nvd.nist.gov/vuln/detail/CVE-2015-2951).\n- Added `potfile` options.\n- Added support for brute-force attacks.\n- Code refactoring.\n- Improved the standard output formatting.\n- Switched from `python-colorlog` to `coloredlogs`.\n\n## Sponsor 💖\n\nIf you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕\n\nIt is easy, all you got to do is press the `Sponsor` button at the top of this page or alternatively [click this link](https://github.com/sponsors/aress31). 💸\n\n## Reporting Issues\n\nFound a bug? I would love to squash it! 🐛\n\nPlease report all issues on the GitHub [issues tracker](https://github.com/aress31/jwtcat/issues).\n\n## Contributing\n\nYou would like to contribute to better this project? 🤩\n\nPlease submit all `PRs` on the GitHub [pull requests tracker](https://github.com/aress31/jwtcat/pulls).\n\n## License\n\nSee [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fjwtcat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faress31%2Fjwtcat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fjwtcat/lists"}