tyki6 / myjwt Goto Github PK

View Code? Open in Web Editor NEW

105.0 2.0 18.0 15.87 MB

A cli for cracking, testing vulnerabilities on Json Web Token(JWT)

License: MIT License

Python 96.10% Dockerfile 1.21% Makefile 2.69%

pentesting security security-tools python jwt jsonwebtoken websec cli rawsec ctf

myjwt's Introduction

Hi I'm mBouamama

myjwt's People

Contributors

Stargazers

Watchers

Forkers

rajivraj hackerup 5l1v3r1 hackinfinity slooppe xvnpw ztencmcp flywithoutwings hartl3y94 coloristlife galyin latkes chixxx bigyoungs darkoneiroi noraj gprime31

myjwt's Issues

Crack option

Context

Brute-force option is cool but not usefull when the defenser use autogenerate passsword for signed jwt key

Enhancement Request

Cracked key which signed your jwt (alg: HSXX needed), send a regex and iterate on it, test all posibilities## Examples of command

myjwt YOURJWT --crack [a-z]{1,10}

Result wanted

output:

your keys is xxxxxx

Initial Update

The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.

Print error when value is not str type

Context

bug when jwt get a value with type is not str.

Process

myjwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Expected result

Your jwt is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Your jwt decoded is:

Header:
alg = HS256
typ = JWT

Payload:
sub = 1234567890
name = John Doe
iat = 1516239022

Current result

Your jwt is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Your jwt decoded is:

Header:
alg = HS256
typ = JWT

Payload:
sub = 1234567890
name = John Doe
Traceback (most recent call last):
TypeError: can only concatenate str (not "int") to str

Invalid .pyup.yml detected

The bot encountered an error in your .pyup.yml config file:

  in "<unicode string>", line 10, column 12:
            pin: True
               ^

You can validate it with this online YAML parser or by taking a look at the Documentation.

Test failure with prompt-toolkit 3.0.32+

Describe the bug

With prompt-toolkit 3.0.32+ (a dependency of questionary), I'm seeing a test failure:

_____________________________ test_user_interface ______________________________

    def test_user_interface():
        """
        Test user_interface in myjwt_cli.py
        """
        result = CliRunner().invoke(myjwt_cli, [test_jwt])
        # raise UnsupportedOperation(stdin is not a terminal)
>       assert type(result.exception) == UnsupportedOperation
E       AssertionError: assert <class 'SystemExit'> == UnsupportedOperation
E        +  where <class 'SystemExit'> = type(SystemExit(1))
E        +    where SystemExit(1) = <Result SystemExit(1)>.exception

tests/test_myjwt_cli.py:370: AssertionError

To Reproduce
make tox

Expected behavior
Test should have passed.

Environment (please complete the following information):

OS: Linux
Python Version: 3.10

Additional context
Bisected to prompt-toolkit/python-prompt-toolkit@c244354.

Option print (useless ouput new JWT)

When you try myjwt MYJWT --print useless output send

Context

Remove this useless output

Process

myjwt MYJWT --print

Expected result

Header: XXXXXXXXXXXXX
Payload: XXXXXXXXXXXXX
Signature: XXXXXXXXXXXXXXXXX

Current result

Header: XXXXXXXXXXXXX
Payload: XXXXXXXXXXXXX
Signature: XXXXXXXXXXXXXXXXX
new jwt: MYJWT

packaging issue: deployment of tests

Describe the bug

The issue is that the setup.py is deploying the tests folder under the root python path and not under this package one.

So it's end up under /usr/lib/python3.11/site-packages/tests rather than /usr/lib/python3.11/site-packages/myjwt/tests and so conflicts with other packages having the same issue.

Anyway usually test are not shipped in a release package so the easiest would just to remove them. Else they should be deployed in the children directory.

It's explained in ArchLinux packaging guidelines for Python: https://wiki.archlinux.org/title/Python_package_guidelines#Test_directory_in_site-package

Tool request for top penetration testing distribution

Publish Myjwt on OS

BlackArch (issue #2942)
Kali Linux (requests open)
BackBox (requests open)
Parrot Security OS

jku header

jku header to bypass an authentication based on JWT

Context

Build the header with the link to the place you're hosting your JWK file

Enhancement Request

Build the header with the link to the place you're hosting your JWK file
Sign the token using RSA with the private key that matches the n and e in the JWK file

Examples of command

myjwt MYJWT --jku

Result wanted

new JWT: JWT

File option not working with x5u

When creating a token which uses a url fwd like ( x5u ):
Example: http://[email protected]/.well-known/ --file jwks_with_x5c.json

The data gets clipped and the token is not generated using the --file . You have to define it manually to make the token correct like below --

myjwt -p user=admin --x5u "http:/[email protected]/jwks_with_x5c.json" --file jwks_with_x5c --key private.pem --crt hacker.crt --print

If you have any questions just ping me. I cannot post the data here as i discovered it on an actual jwt x5u auth bypass challenge and it is exclusively stated to not share information.

Great frigging tool !!!!! Color coding would be amazing on output.

Thanks.
~!>d

tyki6 / myjwt Goto Github PK

myjwt's Introduction

Hi I'm mBouamama

myjwt's People

Contributors

Stargazers

Watchers

Forkers

myjwt's Issues

Context

Enhancement Request

Result wanted

Context

Process

Expected result

Current result

Context

Process

Expected result

Current result

Publish Myjwt on OS

Context

Enhancement Request

Examples of command

Result wanted

Recommend Projects

Recommend Topics

Recommend Org