aress31/ jwtcat
Need help with jwtcat?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
About the developer
214 Stars 
42 Forks 
Apache License 2.0 
63 Commits 
9 Opened issues 
Description
A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner.
Services available
Contributors list
Readme
jwtcat
A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner
jwtcatis a
Python scriptdesigned to detect and exploit well-known cryptographic flaws present in JSON Web Token (JWT). These vulnerabilities, if successfully exploited by an adversary could allow authentication bypass, information disclosure and could ultimately lead to the compromise of an entire information system.
More information about JWT vulnerabilities can be found at: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Features
- Test against the following vulnerabilitie(s):
-
CVE-2018-1000531: JWT signature bypass due to the use of
None
hashing algorithm (alg=none
)
-
CVE-2018-1000531: JWT signature bypass due to the use of
- Guessing attacks against JWT private keys signed with the HS256 hashing algorithm:
- Brute-force attacks
- Wordlist attacks
Requirements
jwtcatis written in Python 3 (and therefore requires a minimum of
Python 3.6) in addition to the following libraries:
- coloredlogs: https://pypi.org/project/coloredlogs/
- PyJWT: https://pypi.org/project/PyJWT/
- tqdm: https://pypi.org/project/tqdm/
Installation
- Clone/download the repository:
git clone https://github.com/AresS31/jwtcat cd jwtcat
- (Optional but recommended) Create and activate a new
Python
virtual environment:
- Create the virtual environment:
python -m venv env
- Activate the newly created environment:
- On POSIX:
source ./env/bin/activate
- On Windows:
./env/Scripts/Activate.ps1
- On POSIX:
- Install
jwtcat
's dependencies:
python -m pip install -r requirements.txt
Usage
To get a list of options and switches use:
python jwtcat.py -h
To get a list of options and switches for brute force attacks:
python jwtcat.py brute-force -h
To get a list of options and switches for wordlist attacks:
python jwtcat.py wordlist -h
To test a JWT against CVE-2018-1000531 and HS256 brute-force attacks:
python jwtcat.py vulnerable -h
Sponsor ♥
If you use
jwtcata lot (especially if it's used commercially), please consider donating as a lot of time and effort went into building and maintaining this project.
Press the "Sponsor" button on the top of this page to see ways of donating/sponsoring to this project.
Contributions
Your feedback and contributions will be much appreciated.
Roadmap
- [ ] Implement additional attack vectors
- [ ] Implement support for multithreading or multiprocessing
- [ ] Implement support for the
-tF, --token-file
swicth - [ ] Improve the code logic for:
- [ ]
TQDM
integration with thelogger
- [ ]
- [ ] Improve the script performances
Changelog
v1.1 - May 2020:
- Added checks to see if jwt is signed with HS256
- Added checks to see if jwt is vulnerable to CVE-2018-1000531
- Added potfile options
- Added support for brute-force attacks
- Code refactoring
- Improved the standard output formatting
- Switched from
python-colorlog
tocoloredlogs
License
Copyright (C) 2017 - 2020 Alexandre Teyar
See LICENSE file for details.