A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner.
jwtcatis a
Python scriptdesigned to detect and exploit well-known cryptographic flaws present in JSON Web Token (JWT). These vulnerabilities, if successfully exploited by an adversary could allow authentication bypass, information disclosure and could ultimately lead to the compromise of an entire information system.
More information about JWT vulnerabilities can be found at: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Nonehashing algorithm (
alg=none)
jwtcatis written in Python 3 (and therefore requires a minimum of
Python 3.6) in addition to the following libraries:
git clone https://github.com/AresS31/jwtcat cd jwtcat
Pythonvirtual environment:
python -m venv env
source ./env/bin/activate
./env/Scripts/Activate.ps1
jwtcat's dependencies:
python -m pip install -r requirements.txt
To get a list of options and switches use:
python jwtcat.py -h
To get a list of options and switches for brute force attacks:
python jwtcat.py brute-force -h
To get a list of options and switches for wordlist attacks:
python jwtcat.py wordlist -h
To test a JWT against CVE-2018-1000531 and HS256 brute-force attacks:
python jwtcat.py vulnerable -h
If you use
jwtcata lot (especially if it's used commercially), please consider donating as a lot of time and effort went into building and maintaining this project.
Press the "Sponsor" button on the top of this page to see ways of donating/sponsoring to this project.
Your feedback and contributions will be much appreciated.
-tF, --token-fileswicth
TQDMintegration with the
logger
python-colorlogto
coloredlogs
Copyright (C) 2017 - 2020 Alexandre Teyar
See LICENSE file for details.