MyJWT: cracking, testing vulnerabilities on Json Web Token(JWT)
MyJWT
A cli for cracking, and testing vulnerabilities on Json Web Token(JWT). This cli is for pentesters, CTF players, or devs. You can modify your jwt, sign, inject, etc…
Features
- copy new jwt to clipboard
- user Interface (thanks questionary)
- color output
- modify jwt (header/Payload)
- None Vulnerability
- RSA/HMAC confusion
- Sign a jwt with key
- Brute Force to guess key
- crack jwt with regex to guess key
- kid injection
- Jku Bypass
- X5u Bypass
Install
pip install myjwt
Use
Modify JWT
| Option | Type | Example | help |
|---|---|---|---|
| –ful-payload | JSON | {“user”: “admin”} | New payload for your jwt. |
| -h, –add-header | key=value | user=admin | Add a new key, value to your jwt header, if key is present old value will be replaced. |
| -p, –add-payload | key=value | user=admin | Add a new key, value to your jwt payload, if key is present old value will be replaced. |
Check Your JWT (HS alg)
| Option | Type | Example | help |
|---|---|---|---|
| –sign | text | mysecretkey | Sign Your jwt with your key |
| –verify | text | mysecretkey | Verify your key. |
Exploit
| Option | Type | Example | help |
|---|---|---|---|
| -none, –none-vulnerability | Nothing | Check None Alg vulnerability. | |
| –hmac | PATH | ./public.pem | Check RS/HMAC Alg vulnerability, and sign your jwt with public key. |
| –bruteforce | PATH | ./wordlist/big.txt | Bruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line) |
| –crack | REGEX | “[a-z]{4}” | regex to iterate all string possibilities to guess the secret used to sign the token. |
| –kid | text | “00; echo /etc/.passwd” | Kid Injection sql |
| –jku | text | MYPUBLICIP | Jku Header to bypass authentication, use –file if you want to change your jwks file name, and –key if you want to use your own private pem |
| –x5u | text | MYPUBLICIP | For jku or x5c Header, use –file if you want to change your jwks file name, and –key if you want to use your own private pem |
Send your jwt
| Option | Type | Example | help |
|---|---|---|---|
| -u, –url | url | http://challenge01.root-me.org/web-serveur/ch59/admin | Url to send your jwt. |
| -m, –method | text | POST | Method use to send request to url.(Default: GET). |
| -d, –data | key=value | secret=MY_JWT | Data send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt. |
| -c, –cookies | key=value | secret=MY_JWT | Cookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt. |
Other
| Option | Type | Example | help |
|---|---|---|---|
| –crt | PATH | ./public.crt | For x5cHeader, force crt file |
| –key | PATH | ./private.pem | For jku or x5c Header, force private key to your key file |
| –file | text | myfile | For jku Header, force file name without .json extension |
| Nothing | Print Decoded JWT | ||
| –help | Nothing | Show Helper message and exit. | |
| –version | Nothing | Show Myjwt version |
Tutorial
Copyright (c) 2020 Matthieu Bouamama
