Azure JSON Web Token (“JWT”) Manipulation Toolset Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user’s access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams andRead More
Simple python script to check against hypothetical JWT vulnerability. Let’s say there is an application that uses JWT tokens signed HS256 algorithm. An example token looks like the follow: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.zbgd5BNF1cqQ_prCEqIvBTjSxMS8bDLnJAE_wE-0Cxg Above token can be decoded to the following data: { “alg”: “HS256”, “typ”: “JWT”}{ “sub”: “1234567890”, “name”: “John Doe”, “iat”: 1516239022} To calculate signature theRead More
This cli is for pentesters, CTF players, or dev. You can modify your jwt, sign, inject ,etc… Check Documentation for more information. If you see problems or enhancement send an issue.I will respond as soon as possible. Enjoy 🙂 Documentation Documentation is available at http://myjwt.readthedocs.io Features copy new jwt to clipboard user Interface (thanks questionary)Read More
[*] jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce) Installation go-get(dev version) $ go get -u github.com/hahwul/jwt-hack homebrew $ brew tap hahwul/jwt-hack$ brew install jwt-hack snapcraft $ sudo snap install jwt-hack Usage d8p 8d8 d88 888888888 888 888 ,8b. dooooooRead More
SecretFinder is a python script based on LinkFinder, written to discover sensitive data like apikeys, accesstoken, authorizations, jwt,..etc in JavaScript files. It does so by using jsbeautifier for python in combination with a fairly large regular expression. The regular expressions consists of four small regular expressions. These are responsible for finding and search anything onRead More
JWT Attack to change the algorithm RS256 to HS256Usage usage: RS256_2_HS256_JWT.py [-h] payload pubkeypositional arguments: payload JSON payload from JWT to attack pubkey Public key file to use for signingoptional arguments: -h, –help show this help message and exit Example Download RS256-2-HS256
