Discover the power of jwt_tool, a comprehensive toolkit designed for the robust testing of JSON Web Tokens (JWTs).
Perfect for pentesters and developers, this toolkit offers a variety of functions, from validating token authenticity to exploiting known vulnerabilities.
Dive into the capabilities of jwt_tool and enhance your security skills and knowledge.
Its functionality includes:
This tool is written for pentesters, who need to check the strength of the tokens in use, and their susceptibility to known attacks.
A range of tampering, signing and verifying options are available to help delve deeper into the potential weaknesses present in some JWT libraries.
It has also been successful for CTF challengers – as CTFs seem keen on JWTs at present.
It may also be useful for developers who are using JWTs in projects, but would like to test for stability and for known vulnerabilities when using forged tokens.
This tool is written natively in Python 3 (version 3.6+) using the common libraries, however various cryptographic funtions (and general prettiness/readability) do require the installation of a few common Python libraries.
(An older Python 2.x version of this tool is available on the legacy branch for those who need it, although this is no longer be supported or updated)
The preferred usage for jwt_tool is with the official Dockerhub-hosted jwt_tool docker image
The base command for running this is as follows:
Base command for running jwt_tool:docker run -it --network "host" --rm -v "${PWD}:/tmp" -v "${HOME}/.jwt_tool:/root/.jwt_tool" ticarpi/jwt_tool
By using the above command you can tag on any other arguments as normal.
Note that local files in your current working directory will be mapped into the docker container’s /tmp directory, so you can use them using that absolute path in your arguments.
i.e.
/tmp/localfile.txt
Installation is just a case of downloading the jwt_tool.py
file (or git clone
the repo).
(chmod
the file too if you want to add it to your $PATH and call it from anywhere.)
$ git clone https://github.com/ticarpi/jwt_tool
$ python3 -m pip install -r requirements.txt
On first run the tool will generate a config file, some utility files, logfile, and a set of Public and Private keys in various formats.
jwtconf.ini
as the “jwkloc” value.To fix broken colours in Windows cmd/Powershell: uncomment the below two lines in jwt_tool.py
(remove the “# ” from the beginning of each line)
You will also need to install colorama: python3 -m pip install colorama
# import colorama
# colorama.init()
For more information click here.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…