Week 40 - JWT Testing

Looking for a quick way to test JSON Web Tokens (JWT's) during an #AppSec engagement? I highly recommend using jwt_tool! To get it running, just locate a GET request to an authenticated endpoint that uses a JWT in the Authorization header. Then run the following command: python3jwt_tool.py -M at -t "https[:]//staging[.]client[.]com/api/v3/endpoint" -rh "Authorization: Bearer eyJ0eHAiCiJKV1QiLCJhbGciO…<more>" The -M option sets the attack mode; in the above case we set ‘at’ for all tests. The -t option is the target URL. The -rh allows us to specify request headers, in this case, the Authorization request header containing the JWT. Then let it rip! It will auto-magically test common exploits, claim fuzzing, token misconfigurations, etc. Leaving you more time for that Business Logic! Let me know what tools you use for #JWT testing in the comments below.