Aller au contenu

crack

Ce contenu n’est pas encore disponible dans votre langue.

Analyse a JWT token for known vulnerabilities. Without --url the tool runs in offline mode and performs pure cryptographic checks with no network requests. With --url each exploit technique probes the live server and reports whether it is accepted.

Terminal window
# Offline — no URL required
jwtop crack <token> [flags]
# Online — probe a live server
jwtop crack <token> --url <url> [flags]
FlagDescription
--urlTarget URL to probe (omit for offline analysis)
--expected-statusHTTP status code that indicates a successful exploit (default 200)
--keyPath or URL to a PEM public key file for the hmacconfusion probe
--wordlistPath to a newline-delimited file of candidate secrets
--secretExplicit candidate secret for brute-force (repeatable)
--workersNumber of concurrent workers for secret brute-force (default 8)
--kid-sql-tableTable name for the kid SQL injection payload (default tokens)
--kid-pathFile path for the kid path traversal payload (default /dev/null)
--token-inWhere to place the exploited JWT: header, cookie, query, or body (default header)
--token-nameHeader/cookie/query/form-field name for the JWT (default Authorization for header, token otherwise)
--token-prefixValue prefix before the token, e.g. Bearer (default Bearer only for the default Authorization header)

When --url is omitted, checks are limited to what can be determined from the token itself — no network calls are made.

CheckWhat is detected
algnoneToken already uses alg=none (any capitalisation)
blanksecretToken signature verifies against an empty HMAC secret
nullsigToken has an empty signature segment
weaksecretHMAC signing secret found via dictionary brute-force

Checks that require a live server (hmacconfusion, psychicsig, kidinjection, no_verification, and algnone casing variants) are skipped with an explanatory message.

When --url is provided, a modified token is sent as Authorization: Bearer <token> for each technique. A technique is VULNERABLE when the server responds with a status code that differs from the baseline (the status returned for a deliberately invalid JWT).

--expected-status sets the baseline manually. When omitted, a first request with an invalid token auto-detects it.

Authorization: Bearer is only the default. If the target reads the JWT from a cookie, a query parameter, or a form-encoded body instead, use --token-in, --token-name, and --token-prefix to match — every probe request (including baseline auto-detection) follows the same placement.

Terminal window
# Cookie
jwtop crack $TOKEN --url https://api.example.com/protected --token-in cookie --token-name session
# Query parameter
jwtop crack $TOKEN --url https://api.example.com/protected --token-in query --token-name access_token
# Form-encoded POST body
jwtop crack $TOKEN --url https://api.example.com/protected --token-in body --token-name jwt
# Custom header
jwtop crack $TOKEN --url https://api.example.com/protected --token-in header --token-name X-Auth-Token --token-prefix "Token "

--token-in body sends the probe as a POST request; every other location keeps the default GET.

TechniqueDescription
algnone (×4)alg=none with four common capitalisation variants
blanksecretRe-sign with an empty HMAC secret
nullsigStrip the signature segment entirely
hmacconfusionRe-sign using a public key as HMAC secret (skipped without --key)
psychicsigRe-sign ECDSA tokens with an all-zero (r=0, s=0) signature — CVE-2022-21449 (skipped for non-ECDSA algorithms)
kidinjection (sql)SQL injection via the kid header
kidinjection (path)Path traversal via the kid header
weaksecretDictionary brute-force of the HMAC signing secret
# Offline
[+] Blank Secret CONFIRMED
[ ] Algorithm None (none) OK
[-] HMAC Confusion skipped (requires live server)
# Online
[+] algnone (none) 200 VULNERABLE
[ ] blanksecret 401
[-] hmacconfusion skipped (no public key provided)
[+] weaksecret 200 VULNERABLE (secret: hunter2)
  • [+] — vulnerability confirmed (offline) or server accepted the exploit (online)
  • [ ] — not vulnerable
  • [-] — technique was skipped (prerequisite missing or offline)
  • [!] — a network or token error occurred

Offline — detect cryptographic weaknesses

Terminal window
jwtop crack $TOKEN

Offline — crack the signing secret with a wordlist

Terminal window
jwtop crack $TOKEN --wordlist /path/to/secrets.txt
jwtop crack $TOKEN --wordlist /path/to/secrets.txt --secret mysecret --secret topsecret

Online — probe with the built-in secret dictionary

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected

Online — include a public key for the hmacconfusion probe

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected \
--key /path/to/public.pem
jwtop crack $TOKEN --url https://api.example.com/protected \
--key https://example.com/public.pem

Online — use a custom wordlist and explicit guesses

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected \
--wordlist /path/to/secrets.txt \
--secret mysecret --secret topsecret

Online — expect a different success status (e.g. 403 means authenticated but unauthorised)

Terminal window
jwtop crack $TOKEN --url https://api.example.com/protected \
--expected-status 403
CodeMeaning
0At least one vulnerability found
1No vulnerabilities found