jwt-hack 2.0.0

Hack the JWT (JSON Web Token) - A tool for JWT security testing and token manipulation
jwt-hack-2.0.0 is not a library.
Visit the last successful build: jwt-hack-2.4.0

A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.

Installation

Cargo

cargo install jwt-hack

Homebrew

brew tap hahwul/jwt-hack
brew install jwt-hack

From source

git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .

Features

Mode Description Support
Encode JWT Encoder Secret based / Key based / Algorithm / Custom Header
Decode JWT Decoder Algorithm, Issued At Check
Verify JWT Verifier Secret based / Key based (for asymmetric algorithms)
Crack Secret Cracker Dictionary Attack / Brute Force
Payload JWT Attack Payload Generator none / jku&x5u / alg_confusion / kid_sql / x5c / cty

Basic Usage

Decode a JWT

jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED

Encode a JWT

# With Secret
jwt-hack encode '{"sub":"1234"}' --secret=your-secret

# With Private Key
ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key
jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256

Verify a JWT

Checks if a JWT's signature is valid using the provided secret or key.

# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret

# With Private Key (for asymmetric algorithms like RS256, ES256)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key

Crack a JWT

# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN

# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4

Generate payloads

jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com

Contribute

Urx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.