Skip to content
master
Switch branches/tags
Go to file
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
May 20, 2020
May 19, 2020
Jan 20, 2017
May 20, 2020
May 19, 2020

README.md

JSON Web Token Cracker

jwtcat

Language License Rawsec's CyberSecurity Inventory

A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner

jwtcat is a Python script designed to detect and exploit well-known cryptographic flaws present in JSON Web Token (JWT). These vulnerabilities, if successfully exploited by an adversary could allow authentication bypass, information disclosure and could ultimately lead to the compromise of an entire information system.

More information about JWT vulnerabilities can be found at: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/


Features

  • Test against the following vulnerabilitie(s):
    • CVE-2018-1000531: JWT signature bypass due to the use of None hashing algorithm (alg=none)
  • Guessing attacks against JWT private keys signed with the HS256 hashing algorithm:
    • Brute-force attacks
    • Wordlist attacks

Requirements

jwtcat is written in Python 3 (and therefore requires a minimum of Python 3.6) in addition to the following libraries:


Installation

  1. Clone/download the repository:
git clone https://github.com/AresS31/jwtcat
cd jwtcat
  1. (Optional but recommended) Create and activate a new Python virtual environment:

    • Create the virtual environment: python -m venv env
    • Activate the newly created environment:
      • On POSIX: source ./env/bin/activate
      • On Windows: ./env/Scripts/Activate.ps1
  2. Install jwtcat's dependencies:

python -m pip install -r requirements.txt

Usage

To get a list of options and switches use:

python jwtcat.py -h

To get a list of options and switches for brute force attacks:

python jwtcat.py brute-force -h

brute-force-demo

To get a list of options and switches for wordlist attacks:

python jwtcat.py wordlist -h

wordlist-demo

To test a JWT against CVE-2018-1000531 and HS256 brute-force attacks:

python jwtcat.py vulnerable -h

vulnerable-demo


Sponsor

If you use jwtcat a lot (especially if it's used commercially), please consider donating as a lot of time and effort went into building and maintaining this project.

Press the "Sponsor" button on the top of this page to see ways of donating/sponsoring to this project.


Contributions

Your feedback and contributions will be much appreciated.


Roadmap

  • Implement additional attack vectors
  • Implement support for multithreading or multiprocessing
  • Implement support for the -tF, --token-file swicth
  • Improve the code logic for:
    • TQDM integration with the logger
  • Improve the script performances

Changelog

v1.1 - May 2020:

  • Added checks to see if jwt is signed with HS256
  • Added checks to see if jwt is vulnerable to CVE-2018-1000531
  • Added potfile options
  • Added support for brute-force attacks
  • Code refactoring
  • Improved the standard output formatting
  • Switched from python-colorlog to coloredlogs

License

Copyright (C) 2017 - 2020 Alexandre Teyar

See LICENSE file for details.