loading
loading
Vulnerabilities
A toolkit for validating, forging, scanning, and tampering JWTs (JSON Web Tokens).
overview
jwt-tool works on JSON Web Tokens end to end: it decodes and validates them, forges and re-signs them, cracks weak HMAC keys, and tampers with header and payload claims to probe how an application trusts a token. Auth that leans on JWTs lives or dies on signature verification, and this tool exercises that path directly.
Its modes map to real attacks. Playbook mode runs a guided audit, the exploit options cover alg:none, blank-password signatures, JWKS spoofing, and key confusion, and crack mode runs a dictionary against an HMAC secret. It can fire the resulting tokens at a live target URL and confirm a bypass against a canary string in the response.
On Trickest, jwt-tool is a Vulnerabilities node that takes a token and writes a file and a folder of results. Chain it after a step that harvests JWTs from responses or storage, then route confirmed bypasses into your triage and reporting path.
source github.com/ticarpi/jwt_tool
use cases
Run playbook mode against a JWT to walk the common checks at once and surface which signature and claim weaknesses the implementation allows.
Use the exploit options for alg:none, blank-password signatures, JWKS spoofing, or key confusion to see whether the server accepts a forged token.
Run crack mode with a dictionary file against an HMAC-signed token to recover a guessable signing key and forge valid tokens from it.
Send a tampered token to a target URL and check for a canary value in the response to verify the forged token is accepted.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| jwt | STRING | · | The JWT to test (skip if it is in the header or cookies). |
| mode | STRING | --mode | Scanning mode: pb playbook audit, er force errors, cc fuzz common claims, at all tests. |
| exploit | STRING | --exploit | Exploit known flaws: a alg:none, b blank password, s spoof JWKS, k key confusion, i inject inline JWKS. |
| crack | BOOLEAN | --crack | Crack the key for an HMAC-SHA token. |
| dict-file-crack | FILE | --dict | Dictionary file for cracking the signing key. |
| target-url | STRING | --targeturl | Target URL to send the forged request to. |
| canaryvalue | STRING | --canaryvalue | Text that appears in the response for a valid token. |
| sign | STRING | --sign | Sign the resulting token. |
Showing key inputs. jwt-tool exposes 27 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| jwt | STRING | · | The JWT to test (no need to specify if it is in the header or cookies). |
| bare | STRING | --bare | Return tokens only. |
| mode | STRING | --mode | Scanning mode: pb playbook audit, er fuzz existing claims to force errors, cc fuzz common claims, at all tests. |
| sign | STRING | --sign | Sign the resulting token. |
| crack | BOOLEAN | --crack | Crack the key for an HMAC-SHA token. |
| query | STRING | --query | Query a token ID against the logfile to see the details of that request. |
| tamper | BOOLEAN | --tamper | Tamper with the JWT contents. |
| cookies | STRING | --cookies | Request cookies to send with the forged HTTP request. |
| exploit | STRING | --exploit | Exploit known flaws: a alg:none, b blank password accepted in signature, s spoof JWKS, k key confusion (set public key with --pubkey), i inject inline JWKS. |
| headers | STRING | --headers | Request headers to send with the forged HTTP request (repeatable for extra headers). |
| noproxy | STRING | --noproxy | Disable the proxy for the current request. |
| pub-key | FILE | --pubkey | Public key for asymmetric crypto. |
| verbose | STRING | --verbose | Produce slightly more verbose output when parsing and printing. |
| jwks-url | STRING | --jwksurl | URL where you host a spoofed JWKS. |
| jwksfile | FILE | --jwksfile | JSON Web Key Store for asymmetric crypto. |
| key-file | FILE | --keyfile | Keyfile for cracking (when signed with kid attacks). |
| postdata | STRING | --postdata | Data string to send in a POST request. |
| priv-key | FILE | --privkey | Private key for asymmetric crypto. |
| target-url | STRING | --targeturl | Target URL to send the forged request to. |
| verify-rsa | STRING | --verify | Verify the RSA signature against a public key. |
| canaryvalue | STRING | --canaryvalue | Text that appears in the response for a valid token (e.g. Welcome, ticarpi). |
| headerclaim | STRING | --headerclaim | Header claim to tamper with. |
| headervalue | STRING | --headervalue | Value (or file of values) to inject into the tampered header claim. |
| injectclaims | STRING | --injectclaims | Inject new claims and update existing claims with new values. |
| payloadclaim | STRING | --payloadclaim | Payload claim to tamper with. |
| payloadvalue | STRING | --payloadvalue | Value (or file of values) to inject into the tampered payload claim. |
| dict-file-crack | FILE | --dict | Dictionary file for cracking the signing key. |
example
# crack a weak HMAC key, then forge alg:none and confirm the bypass on a live appjwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZ3Vlc3QifQ.Jf8v9Q --crack --dict /usr/share/wordlists/rockyou.txtjwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZ3Vlc3QifQ.Jf8v9Q --exploit a --targeturl https://example.com/api/account --canaryvalue "Welcome, admin"Original JWT:jwttool_orig - eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... [+] EXPLOIT: "alg:none" - signature stripped[+] EXPLOIT: key confusion (RS256 to HS256) accepted[+] Weak HMAC key recovered from dictionary: hunter2 Sending tampered token to https://example.com/api/account ...[+] Response 200 (1487 bytes) - canary "Welcome, admin" found[+] Likely authentication bypass on example.com/api/accountguidance
Use jwt-tool when an app authenticates with JSON Web Tokens and you want to test how it verifies them. Harvest a token first, then run the playbook or a specific exploit. It targets JWTs specifically, so for broad web testing pair it with a general scanner like nuclei.
Has JWT templates among thousands of checks. jwt-tool goes far deeper on forging, cracking, and tampering.
Cracks JWT signatures at GPU speed. jwt-tool's crack mode is simpler and built into the same workflow.
Signature scanner for web apps. jwt-tool is the dedicated JWT specialist for the token itself.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A JWT feeds jwt-tool, which audits, tampers, and forges against it and writes the test results as output for triage.
Facts on this page come from the live Trickest tool library.