jwt_PWN.py is a toolkit for validating, forging and cracking JWTs (JSON Web Tokens).
Features:
- Checking the validity of a token (Only HMAC-SHA)
- Testing for the RS/HS256 public key mismatch vulnerability
- Testing for the alg=none signature-bypass vulnerability
- Identifying weak keys via Dictionary Attack
- Forging tokens header and payloads
Python 3, that's it.
$ python3 JWT_pwn.py <token>
The first argument should be the JWT itself.
For example:
$ python jwt_PWN.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw
-
A lot of the inspiration for this tool comes from the vulnerabilities discovered by Tim McLean.
Check out his blog on JWT weaknesses here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Regex for finding JWTs in Burp Search
(make sure 'Case sensitive' and 'Regex' options are ticked)
[= ]ey[A-Za-z0-9_-]*\.[A-Za-z0-9._-]* - url-safe JWT version
[= ]ey[A-Za-z0-9_\/+-]*\.[A-Za-z0-9._\/+-]* - all JWT versions (higher possibility of false positives)
- Support RSA signed tokens
- Multithread cracking of keys(Probably with a module written in Go)