{"id":13292286,"url":"https://github.com/ropwareJB/jwtfuzz","last_synced_at":"2025-03-10T07:32:54.999Z","repository":{"id":39782737,"uuid":"506237471","full_name":"ropwareJB/jwtfuzz","owner":"ropwareJB","description":"Library for fuzzing \u0026 attacking JSON Web Tokens (JWTs). Bindings for other languages included.","archived":false,"fork":false,"pushed_at":"2022-11-11T05:26:18.000Z","size":55,"stargazers_count":4,"open_issues_count":13,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2023-04-01T13:43:40.627Z","etag":null,"topics":["bug-bounty","bug-bounty-tools","bugbounty","fuzz","fuzzing","hacking","hacking-tool","jwt","jwt-token","pentesting","pentesting-tools","security"],"latest_commit_sha":null,"homepage":"","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ropwareJB.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-22T12:27:13.000Z","updated_at":"2022-12-01T00:33:33.000Z","dependencies_parsed_at":"2023-01-23T04:01:22.153Z","dependency_job_id":null,"html_url":"https://github.com/ropwareJB/jwtfuzz","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ropwareJB%2Fjwtfuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ropwareJB%2Fjwtfuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ropwareJB%2Fjwtfuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ropwareJB%2Fjwtfuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ropwareJB","download_url":"https://codeload.github.com/ropwareJB/jwtfuzz/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242811876,"owners_count":20189145,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","bug-bounty-tools","bugbounty","fuzz","fuzzing","hacking","hacking-tool","jwt","jwt-token","pentesting","pentesting-tools","security"],"created_at":"2024-07-29T17:07:40.631Z","updated_at":"2025-03-10T07:32:54.703Z","avatar_url":"https://github.com/ropwareJB.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# JwtFuzz\n\nA Library for fuzzing \u0026 attacking JSON Web Tokens (JWTs) for use in Penetration Testing and security auditing. Bindings for other languages included.\n\n## Using as a Binary\n\nThe `jwtfuzz-exe` binary can be used to generate a series of 'bad' JWT input with various modifications applied, including null signatures, swapped algorithms, psychic signatures, etc. Simply provide a JWT of valid form to stdin;\n\n```\n\u003e echo \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c\" | ./jwtfuzz-exe\n...ommitted...\neyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJpYXQiOjE1MTYyMzkwMjIsIm5hbWUiOiJKb2huIERvZSIsInN1YiI6IjEyMzQ1Njc4OTAifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c=\n...ommitted...\n```\n\n## Using as a Binary via Docker\n\nThe binary is distributed as a docker container hosted on DockerHub.\n\n```\necho \"eyJhbGciOiJIUzI1NiI...\u003committed\u003e\" | docker run -i cortisol/jwtfuzz \n```\n\n## Using as a Library\n\nThe fuzzing functions are also provided as a Unix Shared Library (.so) and Windows DLL.\n\nYou can call the library from C or any language in which you can utilize dynamic-library or a Foreign Function Interface (FFI). An example may be found in the `./so/test` directory, which demonstrates usage in C.\n\nThis module requires that the `jwtfuzz_init()` function is called to initialize the GHC runtime before you call any of the other library functions. Following, you may call `char** fuzzjwt_fuzz(char** err_ptr, char* jwt)` to generate a series of malicious input.\n\n#### Handling Errors\n\n`err_ptr` should be initialized to NULL prior to calling `fuzzjwt_fuzz` and associated functions. If an error occurred, this variable will be populated with a pointer to a string allocated on the Heap describing an error that occurred.\n\n#### Memory Allocation\n\nUsage of this library allocates memory on the Heap. After consumption of the returned JWTs and `err_ptr`, they must be free'd or you will have a memory leak (overconsumption, not disclosure) in your program whenever you fuzz a JWT. Please see `./so/test/main.c` for an example.\n\nYou may use the `void jwtfuzz_free(char* err, char** jwts)` function to deallocate all memory once you have processed the output.\n\n## Dependencies\n\n#### Compilation\n- Requires forked hpack (PR open to hpack):\nhttps://github.com/sol/hpack/pull/518\n\n#### Runtime\n- Requires libjwt\n```bash\n# OSX\nbrew install libjwt\n# Linx\n# TODO: ?????\n```\n\n#### Binary\n```\nmake bin\n```\n\n#### Shared Library\n\n```\nmake so\n```\n\n### Inspiration\n\nThanks to Alex Wells for his very useful original JWT Fuzz utility on his blog:\nhttps://node-security.com/posts/jwt-fuzzing/\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FropwareJB%2Fjwtfuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FropwareJB%2Fjwtfuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FropwareJB%2Fjwtfuzz/lists"}