MyJWT
This cli is for pentesters, CTF players, or dev. You can modify your jwt, sign, inject, etc…
Features
- modify jwt (header/Payload)
- None Vulnerability
- RSA/HMAC confusion
- Sign a jwt with key
- Brute Force to guess the key
- crack jwt with regex to guess the key
- kid injection
- Jku Bypass
- X5u Bypass
Changelog v1.6.1
Added
Install
pip install myjwt
Use

Modify JWT
Option |
Type |
Example |
help |
–ful-payload |
JSON |
{“user”: “admin”} |
New payload for your jwt. |
-h, –add-header |
key=value |
user=admin |
Add a new key, value to your jwt header, if key is present old value will be replaced. |
-p, –add-payload |
key=value |
user=admin |
Add a new key, value to your jwt payload, if key is present old value will be replaced. |
Check Your JWT (HS alg)
Option |
Type |
Example |
help |
–sign |
text |
mysecretkey |
Sign Your jwt with your key |
–verify |
text |
mysecretkey |
Verify your key. |
Exploit
Option |
Type |
Example |
help |
-none, –none-vulnerability |
Nothing |
|
Check None Alg vulnerability. |
–hmac |
PATH |
./public.pem |
Check RS/HMAC Alg vulnerability, and sign your jwt with public key. |
–bruteforce |
PATH |
./wordlist/big.txt |
Bruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line) |
–crack |
REGEX |
“[a-z]{4}” |
regex to iterate all string possibilities to guess the secret used to sign the token. |
–kid |
text |
“00; echo /etc/.passwd” |
Kid Injection sql |
–jku |
text |
MYPUBLICIP |
Jku Header to bypass authentication, use –file if you want to change your jwks file name, and –key if you want to use your own private pem |
–x5u |
text |
MYPUBLICIP |
For jku or x5c Header, use –file if you want to change your jwks file name, and –key if you want to use your own private pem |
Send your jwt
Option |
Type |
Example |
help |
-u, –url |
url |
http://challenge01.root-me.org/web-serveur/ch59/admin |
Url to send your jwt. |
-m, –method |
text |
POST |
Method use to send request to url.(Default: GET). |
-d, –data |
key=value |
secret=MY_JWT |
Data send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt. |
-c, –cookies |
key=value |
secret=MY_JWT |
Cookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt. |
Other
Option |
Type |
Example |
help |
–crt |
PATH |
./public.crt |
For x5cHeader, force crt file |
–key |
PATH |
./private.pem |
For jku or x5c Header, force private key to your key file |
–file |
text |
myfile |
For jku Header, force file name without .json extension |
–print |
Nothing |
|
Print Decoded JWT |
–help |
Nothing |
|
Show Helper message and exit. |
–version |
Nothing |
|
Show Myjwt version |
Copyright (c) 2020 Matthieu Bouamama