JwtXploiter Versions Save

New Release (1.2.1) FIXED

• FileNotFoundError when passing non existing key file to -k/--key #10

ADDED

• Quiet option to suppress warnings and colored output, keeping only the crafted token

ENANCHEMENT

• Added methods to spped up format conversions (der, pem, int)
• Algorithm now is not required anymore for verifying operations

New Release: FIXED

• AttributeError if jwks file does not contain the verifier key #8
• JWKS file not properly generated #7

IMPLEMENTED

• CVE-2020-28042 null signature

ENANCHEMENT

• Dropped off pyOpenSSL dependency
• Dropped using of subprocess, moved to python std lib
• Improved --auto-try efficency
• Certificates generation now use cryptography library

New release: FIXED:

• x5u functions were not converting public numbers to base64
• generate jwk via --generate-jwk was not converting public numbers to base64

ADDED

• Added feature for dump generated key
• Merged --complex-payload functionality in --payload (--complex-payload is always avaiable but is deprecated)
• Added feature to verify a token against a JWKS file

ENANCHEMENT

• Wiki updated
• Docstrings corrections

A command line interface to test security of JSON Web Tokens. Test JWTs against all known CVEs and more:

• Tamper with the token payload: changes claims and subclaims values.
• Exploit known vulnerable header claims (kid, jku, x5u)
• Verify a token
• Retrieve the public key of your target's ssl connection and try to use it in a key confusion attack with one option only
• All JWAs supported
• Generates a JWK and insert it in the token header
• And much, much more!

Software is distributed via rpm package or a simple tarball. A debian package will be provided soon. This repository provides a detailed wiki, to be used as documentation, until a man for linux distributions will be released: https://github.com/DontPanicO/jwtXploiter/wiki