Skip to content

Arpit22338/jwtdrive

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
wordlists
wordlists
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
jwtdrive.py
jwtdrive.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

jwtdrive

jwtdrive is a focused recon tool for JWT public key discovery. It brute-forces common JWKS and public key endpoints, extracts a compatible PEM public key, and streamlines RS256 -> HS256 algorithm confusion workflows used by jwt_tool during security testing.

Installation

git clone <repo-url>
cd jwtdrive
bash install.sh

CLI Flags

  • -t, --target - Target base URL to brute-force (e.g. https://target.com) Example: jwtdrive -t https://target.com
  • -pu, --pubkey-url - Skip brute-force and fetch a known public key URL directly Example: jwtdrive -pu https://target.com/.well-known/jwks.json
  • -o, --output - Output filename for the saved PEM public key (default: <domain>.pem) Example: jwtdrive -t https://target.com -o mykey.pem
  • -w, --wordlist - Path to a custom wordlist file (one path per line) Example: jwtdrive -t https://target.com -w custom_wordlist.txt
  • -T, --threads - Number of concurrent threads for brute-force requests (default: 10) Example: jwtdrive -t https://target.com -T 20
  • -k, --no-verify - Disable SSL certificate verification (useful for self-signed targets) Example: jwtdrive -t https://target.com -k
  • -v, --verbose - Show all attempted paths including failures Example: jwtdrive -t https://target.com -v
  • --discover - Discover keys by scraping root HTML/JS before brute-force Example: jwtdrive -t https://target.com --discover
  • --follow-hosts - Allow following key URLs on external hosts Example: jwtdrive -t https://target.com --discover --follow-hosts
  • --max-candidates - Maximum candidate URLs to follow per response (default: 40) Example: jwtdrive -t https://target.com --discover --max-candidates 80

Usage Examples

jwtdrive -t https://target.com
jwtdrive -t https://target.com -v --threads 20
jwtdrive -t https://target.com -o mykey.pem -w custom_wordlist.txt
jwtdrive -pu https://target.com/.well-known/jwks.json
jwtdrive -t https://target.com -k -v
jwtdrive -t https://target.com --discover --follow-hosts
jwtdrive -t https://target.com --discover --max-candidates 80

Using the PEM with jwt_tool

After a successful extraction, jwtdrive prints a ready-to-run jwt_tool command. You can use the saved PEM directly:

jwt_tool <your_token> -X k -pk example.com.pem

Output Location

The PEM file is saved in the directory where you run the command. By default the filename is the target domain, for example:

./example.com.pem

Supported Key Formats

  • JWK Set (jwks.json) - Extracts all keys and saves as pubkey_1.pem, pubkey_2.pem, etc.
  • Raw PEM public key - Saved directly without conversion
  • X.509 certificate (PEM or DER) - Extracts the public key and saves as PEM
  • OpenID configuration - Follows jwks_uri and processes it as a JWK Set

Discovery Mode

--discover scrapes the root HTML and JavaScript bundles to locate embedded JWKS or key URLs before brute-forcing. It also probes common IdP endpoints (Auth0, Okta, Cognito, Azure AD, Google-style). Use --follow-hosts to allow external auth domains.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages