https://github.com/mazen160/jwt-pwn
Security Testing Scripts for JWT
https://github.com/mazen160/jwt-pwn
jwt jwt-cracker jwt-pwn web-security
Last synced: 3 months ago
JSON representation
Security Testing Scripts for JWT
- Host: GitHub
- URL: https://github.com/mazen160/jwt-pwn
- Owner: mazen160
- License: mit
- Created: 2019-10-22T13:42:09.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2022-06-30T02:50:20.000Z (almost 3 years ago)
- Last Synced: 2025-04-02T07:09:32.806Z (3 months ago)
- Topics: jwt, jwt-cracker, jwt-pwn, web-security
- Language: Python
- Size: 7.81 KB
- Stars: 312
- Watchers: 10
- Forks: 57
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
jwt-pwn
=========
## Security Testing Scripts for JWT
---
## jwt-cracker.py
JWT password/secret cracker.
```
$python3 jwt-cracker.py -jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4" -t 10 -w /pentest/wordlist.txt
[info] Loaded wordlist.
[info] starting brute-forcing.
[#] KEY FOUND: 1234
```
---
## go-jwt-cracker
JWT password/secret cracker that is much faster.
```
$ cd go-jwt-cracker
$ go get
$ go build # Building the binary.
$ ./go-jwt-cracker -wordlist /pentest/wordlist.txt -token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4"
[+] Key Found: 1234
```
---
## jwt-decoder.py
Decodes the value of JWT.
```
$ python3 jwt-decoder.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1
YqLEv9ypAApz27nfYP5L4"
[#] JWT Header:
{"alg": "HS256", "typ": "JWT"}
[#] JWT Value:
{"jwt": "pwn"}
```
---
## jwt-any-to-hs256.py
Generates a new JWT that is signed with HS256 with the same payload value of a provided JWT.
```
python3 jwt-any-to-hs256.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc
8D-J1YqLEv9ypAApz27nfYP5L4"
[#] Generated JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqd3QiOiJwd24ifQ.WqY6R5zmscIx_6ZFwSASHZ_1zbqih_IdtLv_S2Pj028
```
---
## jwt-mimicker.py
Generates a new unsigned JWT with the same payload value of a provided JWT.
```
python3 jwt-mimicker.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J
1YqLEv9ypAApz27nfYP5L4"
[#] Generated unsigned JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJqd3QiOiJwd24ifQ.
```
---
# **Requirements** #
* Python2 or Python3
* pyjwt
# **Legal Disclaimer** #
This project is made for educational and ethical testing purposes only. Usage of jwt-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
# **License** #
The project is licensed under MIT License.
# **Author** #
*Mazin Ahmed*
* Website: [https://mazinahmed.net](https://mazinahmed.net)
* Email: *mazin AT mazinahmed DOT net*
* Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160)
* Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed)