{"id":29358347,"url":"https://github.com/kedi/jwt-attacker","last_synced_at":"2025-10-26T11:45:46.110Z","repository":{"id":302956308,"uuid":"1014049801","full_name":"kedi/jwt-attacker","owner":"kedi","description":"tool to test and exploit common JWT security issues such as weak signing keys, alg:none bypasses, and RS/HS confusion attacks.","archived":false,"fork":false,"pushed_at":"2025-07-05T00:38:27.000Z","size":29,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-05T01:34:20.775Z","etag":null,"topics":["jwt","jwt-attacks","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kedi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-05T00:28:56.000Z","updated_at":"2025-07-05T01:27:05.000Z","dependencies_parsed_at":"2025-07-05T01:34:23.990Z","dependency_job_id":"1248614d-df65-4b9d-9a3c-63155615dc66","html_url":"https://github.com/kedi/jwt-attacker","commit_stats":null,"previous_names":["kedi/jwt-attacker"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kedi/jwt-attacker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kedi%2Fjwt-attacker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kedi%2Fjwt-attacker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kedi%2Fjwt-attacker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kedi%2Fjwt-attacker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kedi","download_url":"https://codeload.github.com/kedi/jwt-attacker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kedi%2Fjwt-attacker/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264406600,"owners_count":23603164,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","jwt-attacks","security"],"created_at":"2025-07-09T06:31:45.256Z","updated_at":"2025-10-26T11:45:46.048Z","avatar_url":"https://github.com/kedi.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JWT Attacker Tool\n\nA Python-based toolkit for testing the security of JWT implementations. This tool helps researchers, developers, and bug bounty hunters identify common JWT misconfigurations and vulnerabilities.\n\n## Features\n\n- **HS256 Secret Cracker**: Brute-force weak signing keys\n- **JWT Forger**: Sign your own payloads with custom headers\n- **alg: none Attack**: Generate unsigned tokens\n- **Rich CLI Interface**: Beautiful terminal output with colors\n\n## Disclaimer\n\n**This tool is for educational and authorized testing purposes only. Do not use it against systems you don't have permission to test. The authors are not responsible for any misuse of this tool.**\n\n## Installation\n\n### Option 1: Clone and Install\n\n```bash\ngit clone https://github.com/kedi/jwt-attacker\ncd jwt-attacker\npip install -r requirements.txt\n```\n\n### Option 2: Install as Package\n\n```bash\npip install -e .\n```\n\n## Usage\n\n### Basic Command Structure\n\n```bash\npython -m jwt_attacker \u003ccommand\u003e [options]\n```\n\n### 1. Crack HS256 Tokens\n\nBrute-force attack on HS256 signed tokens:\n\n```bash\npython -m jwt_attacker crack --token \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\" --wordlist examples/wordlist.txt\n```\n\n### 2. Forge JWT Tokens\n\nCreate custom signed JWT tokens:\n\n```bash\npython -m jwt_attacker forge --payload '{\"user\": \"admin\", \"role\": \"administrator\"}' --secret \"mysecret\"\n```\n\n### 3. Generate alg:none Tokens\n\nCreate unsigned tokens (alg:none attack):\n\n```bash\npython -m jwt_attacker alg-none --payload '{\"user\": \"admin\", \"role\": \"administrator\"}'\n```\n\n### Windows PowerShell Usage\n\nFor Windows PowerShell users, use escaped double quotes:\n\n```powershell\n# alg:none attack\npython -m jwt_attacker alg-none --payload '{\\\"user\\\":\\\"admin\\\",\\\"role\\\":\\\"administrator\\\"}'\n\n# Forge JWT token\npython -m jwt_attacker forge --payload '{\\\"user\\\":\\\"admin\\\"}' --secret \"mysecret\"\n\n# Crack JWT token\npython -m jwt_attacker crack --token \"eyJ0eXAiOi...\" --wordlist examples/wordlist.txt\n```\n\n**PowerShell Tips:**\n\n- Use single quotes around the entire JSON payload\n- Escape double quotes inside JSON with backslash: `\\\"`\n- Example: `--payload '{\\\"key\\\":\\\"value\\\"}'`\n\nFor an interactive PowerShell example script, run:\n\n```powershell\npowershell -ExecutionPolicy Bypass -File examples/windows_examples.ps1\n```\n\n## Project Structure\n\n```\njwt-attacker/\n├── README.md\n├── LICENSE\n├── requirements.txt\n├── setup.py\n├── .gitignore\n├── jwt_attacker/\n│   ├── __init__.py\n│   ├── main.py\n│   ├── forge.py\n│   ├── crack.py\n│   ├── alg_none.py\n│   └── utils.py\n├── examples/\n│   ├── token_example.txt\n│   └── wordlist.txt\n└── tests/\n    └── test_crack.py\n```\n\n## Testing\n\nRun the test suite:\n\n```bash\npython -m pytest tests/\n```\n\n## Examples\n\n### Example 1: Crack a Weak Token\n\n```bash\npython -m jwt_attacker crack --token \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Njc1NzI0NTQsImlhdCI6MTc1MTY3NDg1NCwibmJmIjoxNzUxNjc0ODU0LCJpc3MiOiJ0ZXN0LmNvbSIsInN1YiI6InlvdXItc3ViamVjdCIsImF1ZCI6InlvdXItYXVkaWVuY2UiLCJqdGkiOiJ5b3VyLWluZGVudGlmaWVyIn0.AU3QiW8J1kN6pzjpe8T3ikX5UK7ensTGEa8RZDb9qL4\" --wordlist examples/wordlist.txt\n```\n\n### Example 2: Forge Admin Token\n\n```bash\npython -m jwt_attacker forge --payload '{\"user\": \"admin\", \"admin\": true}' --secret \"secret123\"\n```\n\n### Example 3: Generate Unsigned Token\n\n```bash\npython -m jwt_attacker alg-none --payload '{\"user\": \"admin\", \"admin\": true}'\n```\n\n### Windows PowerShell Examples\n\n```powershell\n# Example 1: Crack a weak token\npython -m jwt_attacker crack --token \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\" --wordlist examples/wordlist.txt\n\n# Example 2: Forge admin token\npython -m jwt_attacker forge --payload '{\\\"user\\\":\\\"admin\\\",\\\"admin\\\":true}' --secret \"secret123\"\n\n# Example 3: Generate unsigned token\npython -m jwt_attacker alg-none --payload '{\\\"user\\\":\\\"admin\\\",\\\"admin\\\":true}'\n```\n\n### Example 3: Generate Unsigned Token\n\n```bash\npython -m jwt_attacker alg-none --payload '{\"user\": \"admin\", \"admin\": true}'\n```\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Make your changes\n4. Add tests if applicable\n5. Submit a pull request\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Resources\n\n- [JWT.io](https://jwt.io/) - JWT Debugger\n- [OWASP JWT Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html)\n- [Common JWT Vulnerabilities](https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkedi%2Fjwt-attacker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkedi%2Fjwt-attacker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkedi%2Fjwt-attacker/lists"}