jwt-pwn: Security Testing Scripts for JWT

by do son · Published October 28, 2019 · Updated October 27, 2019

jwt-pwn – Security Testing Scripts for JWT

jwt-cracker.py

JWT password/secret cracker. C-jwt-cracker is a tool to brute-force the private key of JWT. Besides it uses its implementation of JWT, the Base64 library used by c-jwt-cracker is proven to be buggy and delivers invalid results. This tool is limited to a single signing algorithm (HS256), which makes it unable to operate if a different signing algorithm is provided.

jwt-cracker-go

JWT password/secret cracker that is much faster. The script is a linear implementation of the jwt-cracker in Golang. It’s really fast compared to other tools, although it’s using a linear approach for password cracking, and reliable as it’s using the official Golang library for JWT in the process of validating tokens. This library should be relatively the same library being used by developers in real-world environments.

jwt-decoder.py

Decodes the value of JWT.

This is a simple script that decodes the values of JSON web tokens. It should be handy for testing JWT.

jwt-mimicker.py

This script creates an unsigned token from the JSON web tokens. This script applies the “none” attack discussed previously.

jwt-key_based_token-to-hs256.py

This script creates a signed JWT from a key-based JWT. This applies to the attack mentioned previously. The script works on every key-based signing algorithm, thanks to the powerful pyjwt library.