Skip to content

Using jwt_tool

Jump to bottom
ticarpi edited this page Nov 13, 2019 · 8 revisions

Using jwt_tool

Installation:

jwt_tool was written using native Python 3 libraries, without having any dependencies on any of the many JWT libraries that could have been utilised.
The only dependencies are for the crypto processes, such as signing and verifying RSA/ECDSA/PSS tokens, generating and reconstructing Public/Private Keys, and a few other practical tasks.
If you don't intend to use these functions then you can just use the tool as-is.

To grab a copy of jwt_tool simply git clone it onto your system from a terminal:

$ git clone https://github.com/ticarpi/jwt_tool

To perform the crypto tasks you just need to install PyCryptodome (as an independent library); to perform :

$ pip3 install pycryptodomex

install_jwt_tool

Basic usage:

Run jwt_tool and see the usage information:

$ python3 jwt_tool.py -h

Process a token and launch the interactive menu:

$ python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po

Launch the reader/decoder:

$ python3 jwt_tool.py JWT_HERE -R

Launch the eXplorer (identify potentially weak claims):

$ python3 jwt_tool.py JWT_HERE -X

Verify a token against a Public Key:

$ python3 jwt_tool.py JWT_HERE -V -pk my_public.pem

Start tampering interactively with the header, payload and signature:

$ python3 jwt_tool.py JWT_HERE -T

Common Attacks

Attempt to crack the secret key (HMAC algorithms):

$ python3 jwt_tool.py JWT_HERE -C -d dictionary.txt

Try the 'key-confusion' attack against asymmetric ciphers (RS-, EC-, PS-) with a known Public Key:

$ python3 jwt_tool.py JWT_HERE -K -pk my_public.pem

Try using the 'none' algorithm for creating unvalidated tokens:

$ python3 jwt_tool.py JWT_HERE -A

Process a JSON Web Key Store file, reconstruct the Public Keys, and test the keys to see which verify the token:

$ python3 jwt_tool.py JWT_HERE -J -jw jwks.json

Generate a new RSA key pair, inject the Public Key as a JSON Web Key Store object into the token, and sign the token with the Private Key:

$ python3 jwt_tool.py JWT_HERE -I

Spoof a remote JWKS: generate a new RSA key pair, inject your supplied URL into the token, export the Public Key as a JSON Web Key Store object (to serve at the URL provided), and sign the token with the Private Key:

$ python3 jwt_tool.py JWT_HERE -S -u http://example.com/jwks.json

Menu

Intro

The Methodology

Digging into JWT Security

playbook_logo0

Clone this wiki locally