View Issue Details

IDProjectCategoryView StatusLast Update
0007022Kali Linux[All Projects] Queued Tool Additionpublic2021-03-06 20:34
ReporterDontPanicO Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0007022: jwtXploiter, a tool to test security of JSON Web Tokens
Descriptionname: jwtXploiter
version: 1.0
homepage: https://githbub.com/DontPanicO/jwtXploiter
wiki: https://githbub.com/DontPanicO/jwtXploiter/wiki
download: https://github.com/DontPanicO/jwtXploiter/releases/tag/v1.0
download: https://pypi.org/project/jwtxploiter/
author: DontPanicO
licence: GPL-3.0
description: A command line interface to test security of JWTs against all known CVEs and more

    - Tamper with the token payload, change claims and subclaims values.
    - Exploit known vulnerable header claims (kid, jku, x5u)
    - Verify a token
    - Retrieve the public key of your target's ssl connection and try to use it in a key confusion attack with one option only
    - All JWAs supported (HS*, RS*, PS*, ES*)
    - Generates a JWK and insert it in the token header
    - And much, much more!

dependencies: python3 (3.7 or newer)
python dependencies: cryptography==3.2.1
activity: actively mantained
installation: pip install, rpm package (provided by latest release on github)
how to use: this tool cover a lot of use cases, and all are well explained in the wiki. Here i just provide some basic.

    - jwtxpl <token> -d # decode a token
    - jwtxpl <token> -a None -p <claim_name>:<new_value> # Try alg none and change a payload claim issuing new_value
    - jwtxpl <token> -a hs256 -p user:admin -k /path/to/key # Use JWA HS256, change payload, and sign token with a key
    - jwtxpl <token> -a hs256 -p user:admin --unverified # Try to reuse original signature
    - jwtxpl <token> -a hs256 --inject-kid sqli # Try an sqli payload against the kid header
    - jwtxpl <token> -a rs256 --jku-basic <yourURL> # Try to make the jku pointing to your jwks (automatically generated)
    - jwtxpl <token> -a es384 -V /path/to/key # Verify the signature using JWA ES384 and the key passed to -V

packaged: The tool has not a .deb yet, but i'm working on it.

Activities

DontPanicO

2021-02-02 16:24

reporter   ~0014192

Debian package has been provided. It can be found on github , provided with the tool latest release.

g0tmi1k

2021-03-05 13:14

administrator   ~0014272

Hello - thanks for the submission @DontPanicO,
Wheres the debian package?

g0tmi1k

2021-03-05 13:31

administrator   ~0014282

@kali-team, please could this be packaged up.

DontPanicO

2021-03-06 20:34

reporter   ~0014287

@g0tmi1k here --> http://andreatedeschi.uno/jwtxploiter/jwtxploiter_1.2.1-1_all.deb

Issue History

Date Modified Username Field Change
2021-01-31 17:00 DontPanicO New Issue
2021-02-02 16:24 DontPanicO Note Added: 0014192
2021-03-05 13:14 g0tmi1k Note Added: 0014272
2021-03-05 13:31 g0tmi1k Status new => acknowledged
2021-03-05 13:31 g0tmi1k Category New Tool Requests => Queued Tool Addition
2021-03-05 13:31 g0tmi1k Note Added: 0014282
2021-03-06 20:34 DontPanicO Note Added: 0014287