Repository files navigation

jwtcat is aPython script designed to detect and exploit well-known cryptographic flaws present in JSON Web Token (JWT).

These vulnerabilities, if successfully exploited by an adversary could allow authentication bypass, information disclosure and could ultimately lead to the compromise of an entire information system.

More information aboutJWT vulnerabilities can be found at:

• https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

• Test against the following vulnerabilitie(s):
  • CVE-2018-1000531:JWT signature bypass due to the use ofNone hashing algorithm (alg=none)
• Guessing attacks againstJWT private keyssigned with theHS256 hashing algorithm:
  • Brute-force attacks
  • Wordlist attacks

jwtcat is fully written inPython 3 andrequires a minimum ofPython 3.6 in addition to the following libraries:

• coloredlogs
• PyJWT
• tqdm

1. Clone the repository:

   git clone https://github.com/AresS31/jwtcatcd jwtcat

2. (Optional but recommended) Create and activate a newPython virtual environment:

   1. Create the virtual environment:

      python -m venv env

   2. Activate the newly created environment:

      • OnPOSIX:

        source ./env/bin/activate

      • OnWindows:

        ./env/Scripts/Activate.ps1

3. Install dependencies:

   python -m pip install -r requirements.txt

• To list the available options:

  python jwtcat.py -h

• To list available options specific to brute force attacks:

  python jwtcat.py brute-force -h

  

• To list available options specific to wordlist attacks:

  python jwtcat.py wordlist -h

  

• To test aJWT againstCVE-2018-1000531 andHS256 brute-force attacks:

  python jwtcat.py vulnerable -h

  

• Implement additional attack vectors.
• Implement support for multithreading or multiprocessing.
• Implement support for the-tF, --token-file swicth.
• Improve the code logic for:
  • TQDM integration with thelogger.
• Improve the script performances.

• Added checks to see ifJWT is signed withHS256.
• Added checks to see ifJWT is vulnerable toCVE-2018-1000531.
• Addedpotfile options.
• Added support for brute-force attacks.
• Code refactoring.
• Improved the standard output formatting.
• Switched frompython-colorlog tocoloredlogs.

If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕

It is easy, all you got to do is press theSponsor button at the top of this page or alternativelyclick this link. 💸

Found a bug? I would love to squash it! 🐛

Please report all issues on the GitHubissues tracker.

You would like to contribute to better this project? 🤩

Please submit allPRs on the GitHubpull requests tracker.

SeeLICENSE.