Week 40 - JWT Testing
Last updated
Last updated
Looking for a quick way to test JSON Web Tokens (JWT's) during an #AppSec engagement?
I highly recommend using jwt_tool! To get it running, just locate a GET request to an authenticated endpoint that uses a JWT in the Authorization header. Then run the following command:
python3
jwt_tool.py
-M at -t "https[:]//staging[.]client[.]com/api/v3/endpoint" -rh "Authorization: Bearer eyJ0eHAiCiJKV1QiLCJhbGciO…<more>"
The -M option sets the attack mode; in the above case we set ‘at’ for all tests. The -t option is the target URL. The -rh allows us to specify request headers, in this case, the Authorization request header containing the JWT.
Then let it rip! It will auto-magically test common exploits, claim fuzzing, token misconfigurations, etc. Leaving you more time for that Business Logic!
Let me know what tools you use for #JWT testing in the comments below.