{"id":19078216,"url":"https://github.com/mazen160/jwt-pwn","last_synced_at":"2025-04-09T09:09:20.586Z","repository":{"id":35191517,"uuid":"216823793","full_name":"mazen160/jwt-pwn","owner":"mazen160","description":"Security Testing Scripts for JWT","archived":false,"fork":false,"pushed_at":"2022-06-30T02:50:20.000Z","size":8,"stargazers_count":312,"open_issues_count":2,"forks_count":57,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-04-02T07:09:32.806Z","etag":null,"topics":["jwt","jwt-cracker","jwt-pwn","web-security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mazen160.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-22T13:42:09.000Z","updated_at":"2025-02-26T19:04:22.000Z","dependencies_parsed_at":"2022-07-05T20:29:53.579Z","dependency_job_id":null,"html_url":"https://github.com/mazen160/jwt-pwn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fjwt-pwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fjwt-pwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fjwt-pwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fjwt-pwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mazen160","download_url":"https://codeload.github.com/mazen160/jwt-pwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248008630,"owners_count":21032556,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","jwt-cracker","jwt-pwn","web-security"],"created_at":"2024-11-09T02:07:21.507Z","updated_at":"2025-04-09T09:09:20.568Z","avatar_url":"https://github.com/mazen160.png","language":"Python","funding_links":[],"categories":["Pentesting"],"sub_categories":["Payloads"],"readme":"jwt-pwn\n=========\n\n## Security Testing Scripts for JWT\n\n---\n\n## jwt-cracker.py\n\nJWT password/secret cracker.\n\n```\n$python3 jwt-cracker.py -jwt \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4\" -t 10 -w /pentest/wordlist.txt\n[info] Loaded wordlist.\n[info] starting brute-forcing.\n[#] KEY FOUND: 1234\n```\n\n---\n\n\n## go-jwt-cracker\n\nJWT password/secret cracker that is much faster.\n\n```\n$ cd go-jwt-cracker\n$ go get\n$ go build # Building the binary.\n\n$ ./go-jwt-cracker -wordlist /pentest/wordlist.txt -token \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4\"\n[+] Key Found: 1234\n```\n\n---\n\n## jwt-decoder.py\n\nDecodes the value of JWT.\n\n```\n$ python3 jwt-decoder.py \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1\nYqLEv9ypAApz27nfYP5L4\"\n\n\n[#] JWT Header:\n{\"alg\": \"HS256\", \"typ\": \"JWT\"}\n\n[#] JWT Value:\n{\"jwt\": \"pwn\"}\n```\n\n---\n\n## jwt-any-to-hs256.py\n\nGenerates a new JWT that is signed with HS256 with the same payload value of a provided JWT.\n\n```\npython3 jwt-any-to-hs256.py \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc\n8D-J1YqLEv9ypAApz27nfYP5L4\"\n\n\n[#] Generated JWT:\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqd3QiOiJwd24ifQ.WqY6R5zmscIx_6ZFwSASHZ_1zbqih_IdtLv_S2Pj028\n```\n\n---\n\n## jwt-mimicker.py\n\nGenerates a new unsigned JWT with the same payload value of a provided JWT.\n\n```\npython3 jwt-mimicker.py \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J\n1YqLEv9ypAApz27nfYP5L4\"\n\n\n[#] Generated unsigned JWT:\neyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJqd3QiOiJwd24ifQ.\n```\n\n---\n\n# **Requirements** #\n* Python2 or Python3\n* pyjwt\n\n\n# **Legal Disclaimer** #\nThis project is made for educational and ethical testing purposes only. Usage of jwt-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n\n# **License** #\nThe project is licensed under MIT License.\n\n\n# **Author** #\n*Mazin Ahmed*\n* Website: [https://mazinahmed.net](https://mazinahmed.net)\n* Email: *mazin AT mazinahmed DOT net*\n* Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160)\n* Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmazen160%2Fjwt-pwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmazen160%2Fjwt-pwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmazen160%2Fjwt-pwn/lists"}