Skip to content

asantof/JWT_Security_Check

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 

Repository files navigation

JWT Security Check

This tool tests a request that implements a JWT token in its Authorization header against a few vulnerabilities:

  • None algorithm vulnerability. Replaces the JWT algorithm with none, None, NONE and/or nOnE. It also removes the signature. It attempts requests with each one of these.
  • Lack of a valid signature: Only removes the signature from the JWT and sends the request.
  • Algorithm confusion. You have to provide the public key and in case the JWT uses RS256 as its algorithm then it changes the algorithm and uses that public key to create a new JWT and attempt the request. NOTE: This test has been commented out until further testing.

Note that the tool works by comparing a valid request (the one you provide) with the requests with the modified JWT token. If both get the same response then it assumes a vulnerability exists.

Usage:

python3 JWT_security_check.py -r <request file> [-p <https|http>] [-k <public key file>]
  • -r: File containting the request. It must contain the JWT in its Authorization header.
  • -p: HTTP or HTTPS. Default is HTTPS.
  • -k: Only if the algorithm is RS256. Provide a file with the public key.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages