Skip to main content

Testing, tweaking and cracking JSON Web Tokens (JWT)

What is JSON Web Token?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

In this post, we will see how to test, tweak, and try to crack JWTs. There are few open-source libraries that we can use. One such utility is https://github.com/ticarpi/jwt_tool which is a toolkit for testing, tweaking, and cracking JSON Web Tokens.

This tool is written in Python 3 (version 3.6+).

Its functionality includes:

  • Checking the validity of a token
  • Testing for known exploits:
  • (CVE-2015–2951) The  signature-bypass vulnerability
  • (CVE-2016–10555) The  public key mismatch vulnerability
  • (CVE-2018–0114)  vulnerability
  • Scanning for misconfigurations or known weaknesses
  • Fuzzing claim values to provoke unexpected behaviors
  • Testing the validity of a secret/key file/Public Key/JWKS key
  • Identifying  via a High-speed 
  • Forging new token header and payload contents and creating a new signature with the key or via another attack method
  • Timestamp tampering
  • RSA and ECDSA key generation, and reconstruction (from JWKS files)
  • …and lots more!

You can visit the repository on github and get the instructions on github.

Happy Coding!!!

Labels:

Comments

Post a Comment

Popular posts from this blog

Track stock market information right in your Terminal.

     Introduction: As a developer, I love working with the terminal. The plain, simple, and in my opinion the best way to interact with the computer (also it makes you look geeky). I spent most of my time in the terminal. By now you must have guessed I am a huge fan of the terminal and terminal-based applications. Recently I developed an interest in stock markets and started tracking the stock markets. Since I love working with the terminal I decided to build a terminal oriented application that can help me to track the stock market. Inspir e d by  wttr.in  I build  terminal-stocks  which can provide the stock's current prices, historical prices, and global market summary. How to use terminal-stocks terminal-stocks  is available and can be used without installation. Get the current price of the stock. curl terminal-stocks.dev/ITC.NS Current price of stocks You need to provide the ticker of the stock and terminal-stocks will give you the price inf...
Post a Comment
Read more

PrivateGPT: A Step-by-Step Guide to Installation and Use

In this blog post, we will explore the ins and outs of PrivateGPT, from installation steps to its versatile use cases and best practices for unleashing its full potential. What is PrivateGPT? PrivateGPT is a cutting-edge program that utilizes a pre-trained GPT (Generative Pre-trained Transformer) model to generate high-quality and customizable text. Built on OpenAI's GPT architecture, PrivateGPT introduces additional privacy measures by enabling you to use your own hardware and data. This ensures that your content creation process remains secure and private. Installation Steps Before we dive into the powerful features of PrivateGPT, let's go through the quick installation process. PrivateGPT is a command line tool that requires familiarity with terminal commands. Let's get started: 1. Clone the Repository: Begin by cloning the PrivateGPT repository from GitHub using the following command: ``` git clone https://github.com/imartinez/privateGPT.git ``` 2.Navigate to the Direc...
Post a Comment
Read more

Visualising Your Google Location History

Step 1: Download Your Google Location History First, you need to download your location history data from Google. Follow these steps to get started: Go to Google Takeout : Visit Google Takeout to begin the process. Select Location History (Timeline) : Make sure to select the “Location History (Timeline)” option. 3. Export Your Data : Google will compile your data, which might take some time. You will receive an email once your data is ready to be downloaded. 4. Download the Data : Follow the instructions in the email to download your data. Step 2: Extract the Downloaded File Once you’ve downloaded your data, locate the file and extract it. The location data will be in a JSON file at the following path: takeout-202XXXXXTXXXXXXZ-001/Takout/Location History (Timeline)/Records.json Step 3: Convert JSON to CSV To make the location data usable, we need to convert it from JSON to CSV format. Although you can convert it to KML or geoJSON formats, we’ll focus on CSV for this post. 1.  Clon...
Post a Comment
Read more