jwt-tool
jwt_tool.py is a toolkit for validating, forging, scanning, and tampering JWTs (JSON Web Tokens).
Details
Category: Vulnerabilities
Publisher: trickest-mhmdiaa
Created Date: 2/5/2022
Container: quay.io/trickest/jwt-tool:eb411ea
Source URL: https://github.com/ticarpi/jwt_tool
Parameters
Command:
- The JWT to tinker with (no need to specify if in header/cookies)Command:
--bare
- Return TOKENS ONLYCommand:
--mode
- Scanning mode: pb = playbook audit, er = fuzz existing claims to force errors, cc = fuzz common claims, at - All Tests!Command:
--sign
- Sign the resulting tokenCommand:
--crack
- Crack key for an HMAC-SHA tokenCommand:
--query
- Query a token ID against the logfile to see the details of that requestCommand:
--tamper
- Tamper with the JWT contentsCommand:
--cookies
- Request cookies to send with the forged HTTP requestCommand:
--exploit
- Exploit known vulnerabilities: a = alg:none, signature, b = blank password accepted in signature, s = spoof JWKS, k = key confusion (specify public key with -pk), i = inject inline JWKSCommand:
--headers
- Request headers to send with the forged HTTP request (can be used multiple times for additional headers)Command:
--noproxy
- Disable proxy for current requestCommand:
--pubkey
- Public Key for Asymmetric cryptoCommand:
--verbose
- When parsing and printing, produce (slightly more) verbose outputCommand:
--jwksurl
- URL location where you can host a spoofed JWKSCommand:
--jwksfile
- JSON Web Key Store for Asymmetric cryptoCommand:
--keyfile
- Keyfile for cracking (when signed with 'kid' attacks)Command:
--postdata
- Text string that contains all the data to be sent in a POST requestCommand:
--privkey
- Private Key for Asymmetric cryptoCommand:
--targeturl
- Target URLCommand:
--verify
- Verify the RSA signature against a Public KeyCommand:
--canaryvalue
- Text string that appears in response for valid token (e.g. Welcome, ticarpi)Command:
--headerclaim
- Header claim to tamper withCommand:
--headervalue
- Value (or file containing values) to inject into tampered header claimCommand:
--injectclaims
- Inject new claims and update existing claims with new valuesCommand:
--payloadclaim
- Payload claim to tamper withCommand:
--payloadvalue
- Value (or file containing values) to inject into tampered payload claimCommand:
--dict
- Dictionary file for cracking