jwt_tool v2.2.6 releases: A toolkit for testing, tweaking and cracking JSON Web Tokens

The JSON Web Token Toolkit

jwt_tool.py is a toolkit for validating, forging, and cracking JWTs (JSON Web Tokens).

Its functionality includes:

• Checking the validity of a token
• Testing for known exploits:
  • (CVE-2015-2951) The alg=none signature-bypass vulnerability
  • (CVE-2016-10555) The RS/HS256 public key mismatch vulnerability
  • (CVE-2018-0114) Key injection vulnerability
  • (CVE-2019-20933/CVE-2020-28637) Blank password vulnerability
  • (CVE-2020-28042) Null signature vulnerability
• Scanning for misconfigurations or known weaknesses
• Fuzzing claim values to provoke unexpected behaviours
• Testing the validity of a secret/key file/Public Key/JWKS key
• Identifying weak keys via a High-speed Dictionary Attack
• Forging new token header and payload contents and creating a new signature with the key or via another attack method
• Timestamp tampering
• RSA and ECDSA key generation, and reconstruction (from JWKS files)
• …and lots more!

Audience

This tool is written for pentesters, who need to check the strength of the tokens in use, and their susceptibility to known attacks. A range of tampering, signing and verifying options are available to help delve deeper into the potential weaknesses present in some JWT libraries.
It has also been successful for CTF challengers – as CTFs seem keen on JWTs at present.
It may also be useful for developers who are using JWTs in projects, but would like to test for stability and for known vulnerabilities when using forged tokens.

Changelog v2.2.6

[+] Fixed alg issue in prompt (thanks @jwutzke)
[+] Implemented a no-redirect option to avoid 301/302 ambiguous results (-nr/--no-redirect) (thanks @TheREK3R)
[+] Improved some JWKS/kid handling
[+] Fixed non-ASCII password issue on Playbook Scan

Install & Use

Copyright (C) 2022 ticarpi

Source: https://github.com/ticarpi/