Skip to content

fevra-dev/ClaimJumper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
claimjumper
claimjumper
 
 
wordlists
wordlists
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
jwt_analyzer.html
jwt_analyzer.html
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

   _____ _       _            _                                
  / ____| |     (_)          | |                               
 | |    | | __ _ _ _ __ ___  | |_   _ _ __ ___  _ __   ___ _ __ 
 | |    | |/ _` | | '_ ` _ \ | | | | | '_ ` _ \| '_ \ / _ \ '__|
 | |____| | (_| | | | | | | || | |_| | | | | | | |_) |  __/ |   
  \_____|_|\__,_|_|_| |_| |_|/ |\__,_|_| |_| |_| .__/ \___|_|   
                           |__/               | |               
                                              |_|  v0.1.0

Professional JWT security testing toolkit. Analyze, crack, forge, and exploit JSON Web Tokens with 15+ vulnerability checks, 100k secret wordlist, and CVE-specific attacks.

Features

Core Analysis

  • JWT decoding and vulnerability scanning
  • 15+ security checks (alg=none, weak algorithms, missing claims, sensitive data)
  • Risk scoring with detailed remediation

Advanced Attacks

  • Algorithm Confusion (CVE-2022-39227)
  • Kid Header Injection (path traversal, SQLi)
  • JKU/X5U Injection
  • Null Signature Bypass (CVE-2020-28042)
  • Psychic Signature (CVE-2022-21449)
  • JWKS Spoofing

Secret Cracking

  • Multi-threaded (~19k secrets/sec)
  • 100k+ Wallarm wordlist included
  • Custom wordlist support

Installation

pip install -e .

Quick Start

# Analyze a token
claimjumper analyze eyJhbGciOiJIUzI1NiIs...

# Generate attack tokens
claimjumper advanced-attacks <token>

# Crack secret (8 threads)
claimjumper crack <token> -t 8

# Full security audit
claimjumper full-audit <token>

Commands

Command Description
analyze Analyze JWT for vulnerabilities
advanced-attacks Generate CVE-based attack tokens
full-audit Complete security assessment
crack Multi-threaded secret brute-force
forge-none Create alg=none token
forge Create signed token
decode Decode and display token
playbook Automated security scan
fuzz Fuzz JWT claims
keygen Generate RSA/ECDSA keys

Web Interface

Open jwt_analyzer.html for a minimal web UI with:

  • Token analysis
  • Attack generation
  • Token forging

Security Checks

Check Severity
alg=none CRITICAL
Algorithm Confusion CRITICAL
Missing exp HIGH
JKU/X5U Injection HIGH
Kid Injection HIGH
Weak Algorithm MEDIUM
Sensitive Data MEDIUM

Exit Codes

  • 0 — Analysis complete / No secret found
  • 1 — Vulnerabilities found / Secret cracked
  • 2 — Error

License

MIT

ClaimJumper — For authorized security testing only.

About

Professional JWT security testing toolkit. Analyze, crack, forge, and exploit JSON Web Tokens with 15+ vulnerability checks, 100k secret wordlist, and CVE-specific attacks (CVE-2022-21449, CVE-2018-0114).

Topics

python cli security jwt authentication owasp cybersecurity penetration-testing bug-bounty infosec json-web-token ethical-hacking security-tools vulnerability-scanner token-security

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages