{"id":17925242,"url":"https://github.com/righettod/toolbox-jwt","last_synced_at":"2025-10-14T03:22:44.485Z","repository":{"id":162636620,"uuid":"637138353","full_name":"righettod/toolbox-jwt","owner":"righettod","description":"Docker toolbox with different scripts having for the objective to perform different kinds of attacks against JWT tokens.","archived":false,"fork":false,"pushed_at":"2025-10-05T00:30:49.000Z","size":225,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-05T02:42:02.488Z","etag":null,"topics":["docker","jwt","pentesting"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righettod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-05-06T16:16:01.000Z","updated_at":"2025-10-05T00:30:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"fe34c79a-e63b-41a6-a2b4-fe7027d6f8a0","html_url":"https://github.com/righettod/toolbox-jwt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/righettod/toolbox-jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righettod","download_url":"https://codeload.github.com/righettod/toolbox-jwt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-jwt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279017787,"owners_count":26086144,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","jwt","pentesting"],"created_at":"2024-10-28T20:53:11.363Z","updated_at":"2025-10-14T03:22:44.445Z","avatar_url":"https://github.com/righettod.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# šŸ’» JWT toolbox\n\n[![Build and deploy the toolbox image](https://github.com/righettod/toolbox-jwt/actions/workflows/build_docker_image.yml/badge.svg?branch=main)](https://github.com/righettod/toolbox-jwt/actions/workflows/build_docker_image.yml) ![MadeWitVSCode](https://img.shields.io/static/v1?label=Made%20with\u0026message=VisualStudio%20Code\u0026color=blue\u0026?style=for-the-badge\u0026logo=visualstudio) ![MadeWithDocker](https://img.shields.io/static/v1?label=Made%20with\u0026message=Docker\u0026color=blue\u0026?style=for-the-badge\u0026logo=docker) ![AutomatedWith](https://img.shields.io/static/v1?label=Automated%20with\u0026message=GitHub%20Actions\u0026color=blue\u0026?style=for-the-badge\u0026logo=github)\n\n## šŸŽÆ Description\n\nThe goal of this image is to provide a ready-to-use toolbox with different scripts having for the objective to perform different kinds of attacks against [JWT](https://jwt.io/) tokens.\n\nšŸ’” Indeed, some existing scripts require specific runtime/package/etc. so the goal is to have a quick ready-to-use sandbox to execute them to obtain crafted JWT token.\n\n## šŸ“¦ Build\n\nUse the following set of command to build the docker image of the toolbox:\n\n```bash\ngit clone https://github.com/righettod/toolbox-jwt.git\ncd toolbox-jwt\ndocker build . -t righettod/toolbox-jwt\n```\n\nšŸ’” The image is build every week and pushed to the GitHub image repository. You can retrieve it with the following command:\n\n`docker pull ghcr.io/righettod/toolbox-jwt:main`\n\n## šŸ‘Øā€šŸ’» Usage\n\nUse the following command to create a container of the toolbox:\n\n```bash\ndocker run --rm -it ghcr.io/righettod/toolbox-jwt:main /bin/zsh\n# From here, use one of the provided script...\n```\n\n## šŸ’” Offline brute force operation against a HMAC secret\n\nTo perform an offline brute force operation against a HMAC secret, use one of these [JohnTheRipper packages](https://github.com/openwall/john-packages).\n\nšŸ’» Usage:\n\n```bash\njohn tokens.txt --wordlist=rockyou.txt --rules=best64 --format=\"HMAC-SHA256\"\njohn tokens.txt --show\n```\n\n## šŸ“‹ Content\n\n### Script 'generate-jwt-ecdsa-derivated-public-keys.rb'\n\n\u003e **Note**: Author of the script is the [PentesterLab](https://blog.pentesterlab.com/exploring-algorithm-confusion-attacks-on-jwt-exploiting-ecdsa-23f7ff83390f) team ā¤.\n\nScript to generate derivated **ECDSA** public keys from a JWT ECDSA signed token. To goal is to test exposure to algorithm confusion attacks on token using ECDSA key pair.\n\nšŸ’» Usage:\n\n`ruby generate-jwt-ecdsa-derivated-public-keys.rb \"JWT_ECDSA_SIGNED_TOKEN\"`\n\nšŸ’» Example:\n\n```bash\n# Once in the bash of the toolbox\nruby generate-jwt-ecdsa-derivated-public-keys.rb \"eyJ0eXA...\"\n[+] Key:\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6mWiWnAqBhDvAWwyiM7+STTq0Csi\nspjd61v7AtpvgKMyOHVMxMQ6yyrjVKp/syHteGSeltXdfEQ0Dlv0tkZQqg==\n-----END PUBLIC KEY-----\n[+] Key:\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7zuf4prcB/qW4AL7d20LSb99Zwwl\nhRSCnHTrpnHUnXoqZVAGwCNpYSJf1rpjZQocwwEL016+OuspiQ67N9EDoA==\n-----END PUBLIC KEY-----\n```\n\n### Script 'generate-jwt-rsa-derivated-public-keys.sh'\n\n\u003e **Note**: Author of the tool used by the script is the [Silent Signal](https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/) team ā¤.\n\nScript to generate derivated **RSA** public keys from a JWT RSA signed token. To goal is to test exposure to algorithm confusion attacks on token using RSA key pair.\n\nšŸ’» Usage:\n\n`bash generate-jwt-rsa-derivated-public-keys.sh \"JWT_RSA_SIGNED_TOKEN_1\" \"JWT_RSA_SIGNED_TOKEN_2\"`\n\nšŸ’» Example:\n\n```bash\n# Once in the bash of the toolbox\nbash generate-jwt-rsa-derivated-public-keys.sh \"eyJ0eXA...\" \"eyJ0eXA...\"\n[*] GCD: 0x6b\n[*] GCD: 0xd7b8aa3...\n[+] Found n with multiplier 1 :\n 0xd7b8aa...\n[+] Written to d7b8aa3fc15ccb45_65537_x509.pem\n[+] Tampered JWT: b'eyJ0eXAiOiJ...'\n[+] Written to d7b8aa3fc15ccb45_65537_pkcs1.pem\n[+] Tampered JWT: b'eyJ0eXAiOiH...'\n==============================================================\nHere are your JWT's once again for your copypasting pleasure\n==============================================================\neyJ0eXAiOiJKV1Qi...\neyJ0eXAiOiJKV1Qj...\n```\n\n### Script 'apply-jwt-ticarpi-attack-playbook.sh'\n\nScript to test an web service against the [TICARPI attack playbook](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology) ā¤.\n\nšŸ’» Usage:\n\n`bash apply-jwt-ticarpi-attack-playbook.sh \"ENDPOINT_FULL_URL\" \"CANARY_WORD\" \"VALID_JWT_TOKEN\"`\n\nšŸ“ The **canary word** is a word that must be present in the HTTP response when the JWT token is accepted (case-sensitive).\n\nšŸ’¬ The JWT token is added into this header `Authorization: Bearer $TOKEN`. Edit the script to change its location if needed.\n\nšŸ’” Pipe the command above with ` | grep --color=always -F \"Response Code: 200\"` to display only requests for which the JWT token was accepted.\n\nšŸ’» Example:\n\n```bash\n# Once in the bash of the toolbox\nbash apply-jwt-ticarpi-attack-playbook.sh \"https://righettod.eu/api/profile\" \"righettod\" \"eyJ0eXA...\"\n...\n```\n\n## šŸ¤ Sources \u0026 credits\n\n* \u003chttps://blog.pentesterlab.com/exploring-algorithm-confusion-attacks-on-jwt-exploiting-ecdsa-23f7ff83390f\u003e\n* \u003chttps://github.com/silentsignal/rsa_sign2n\u003e\n* \u003chttps://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/\u003e\n* \u003chttps://github.com/ticarpi/jwt_tool\u003e\n* \u003chttps://github.com/ticarpi/jwt_tool/wiki\u003e\n* \u003chttps://github.com/Sjord/jwtcrack\u003e\n* \u003chttps://www.openwall.com/john/\u003e\n* \u003chttps://github.com/openwall/john\u003e\n* \u003chttps://gist.github.com/pich4ya/f76280b7a6af67a9adf740f3ee547689\u003e\n* \u003chttps://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases\u003e\n* \u003chttps://www.javainuse.com/jwtgenerator\u003e\n* \u003chttps://jwt.io/\u003e\n* \u003chttps://github.com/openwall/john-packages\u003e\n* \u003chttps://token.dev/\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighettod%2Ftoolbox-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-jwt/lists"}