View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0007022Kali LinuxQueued Tool Additionpublic2021-01-31 17:002023-02-20 08:59
ReporterDontPanicO Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Summary0007022: jwtXploiter - test security of JSON Web Tokens
Description

name: jwtXploiter
version: 1.0
homepage: https://githbub.com/DontPanicO/jwtXploiter
wiki: https://githbub.com/DontPanicO/jwtXploiter/wiki
download: https://github.com/DontPanicO/jwtXploiter/releases/tag/v1.0
download: https://pypi.org/project/jwtxploiter/
author: DontPanicO
licence: GPL-3.0
description: A command line interface to test security of JWTs against all known CVEs and more

- Tamper with the token payload, change claims and subclaims values.
- Exploit known vulnerable header claims (kid, jku, x5u)
- Verify a token
- Retrieve the public key of your target's ssl connection and try to use it in a key confusion attack with one option only
- All JWAs supported (HS*, RS*, PS*, ES*)
- Generates a JWK and insert it in the token header
- And much, much more!

dependencies: python3 (3.7 or newer)
python dependencies: cryptography==3.2.1
activity: actively mantained
installation: pip install, rpm package (provided by latest release on github)
how to use: this tool cover a lot of use cases, and all are well explained in the wiki. Here i just provide some basic.

- jwtxpl <token> -d        # decode a token
- jwtxpl <token> -a None -p <claim_name>:<new_value>    # Try alg none and change a payload claim issuing new_value
- jwtxpl <token> -a hs256 -p user:admin -k /path/to/key     # Use JWA HS256, change payload, and sign token with a key
- jwtxpl <token> -a hs256 -p user:admin --unverified           # Try to reuse original signature
- jwtxpl <token> -a hs256 --inject-kid sqli                                # Try an sqli payload against the kid header
- jwtxpl <token> -a rs256 --jku-basic <yourURL>    # Try to make the jku pointing to your jwks (automatically generated)
- jwtxpl <token> -a es384 -V /path/to/key                # Verify the signature using JWA ES384 and the key passed to -V

packaged: The tool has not a .deb yet, but i'm working on it.

Activities

DontPanicO

DontPanicO

2021-02-02 16:24

reporter   ~0014192

Debian package has been provided. It can be found on github , provided with the tool latest release.
g0tmi1k

g0tmi1k

2021-03-05 13:14

administrator   ~0014272

Hello - thanks for the submission @DontPanicO,
Wheres the debian package?
g0tmi1k

g0tmi1k

2021-03-05 13:31

administrator   ~0014282

@kali-team, please could this be packaged up.
DontPanicO

DontPanicO

2021-03-06 20:34

reporter   ~0014287

@g0tmi1k here --> http://andreatedeschi.uno/jwtxploiter/jwtxploiter_1.2.1-1_all.deb
Kenneths28

Kenneths28

2023-02-20 08:59

reporter   ~0017536

Estoy ansioso por trabajar con cada uno de los programas me gusta la tecologia

Issue History

Date Modified Username Field Change
2021-01-31 17:00 DontPanicO New Issue
2021-02-02 16:24 DontPanicO Note Added: 0014192
2021-03-05 13:14 g0tmi1k Note Added: 0014272
2021-03-05 13:31 g0tmi1k Status new => acknowledged
2021-03-05 13:31 g0tmi1k Category New Tool Requests => Queued Tool Addition
2021-03-05 13:31 g0tmi1k Note Added: 0014282
2021-03-06 20:34 DontPanicO Note Added: 0014287
2022-05-04 12:58 g0tmi1k Summary jwtXploiter, a tool to test security of JSON Web Tokens => jwtXploiter - test security of JSON Web Tokens
2023-02-20 08:59 Kenneths28 Note Added: 0017536