tyki6 / myjwt Goto Github PK
View Code? Open in Web Editor NEWA cli for cracking, testing vulnerabilities on Json Web Token(JWT)
License: MIT License
A cli for cracking, testing vulnerabilities on Json Web Token(JWT)
License: MIT License
Brute-force option is cool but not usefull when the defenser use autogenerate passsword for signed jwt key
Cracked key which signed your jwt (alg: HSXX needed), send a regex and iterate on it, test all posibilities## Examples of command
myjwt YOURJWT --crack [a-z]{1,10}
output:
your keys is xxxxxx
The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.
bug when jwt get a value with type is not str.
myjwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Your jwt is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Your jwt decoded is:
Header:
alg = HS256
typ = JWT
Payload:
sub = 1234567890
name = John Doe
iat = 1516239022
Your jwt is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Your jwt decoded is:
Header:
alg = HS256
typ = JWT
Payload:
sub = 1234567890
name = John Doe
Traceback (most recent call last):
TypeError: can only concatenate str (not "int") to str
The bot encountered an error in your .pyup.yml
config file:
in "<unicode string>", line 10, column 12:
pin: True
^
You can validate it with this online YAML parser or by taking a look at the Documentation.
Describe the bug
With prompt-toolkit 3.0.32+ (a dependency of questionary), I'm seeing a test failure:
_____________________________ test_user_interface ______________________________
def test_user_interface():
"""
Test user_interface in myjwt_cli.py
"""
result = CliRunner().invoke(myjwt_cli, [test_jwt])
# raise UnsupportedOperation(stdin is not a terminal)
> assert type(result.exception) == UnsupportedOperation
E AssertionError: assert <class 'SystemExit'> == UnsupportedOperation
E + where <class 'SystemExit'> = type(SystemExit(1))
E + where SystemExit(1) = <Result SystemExit(1)>.exception
tests/test_myjwt_cli.py:370: AssertionError
To Reproduce
make tox
Expected behavior
Test should have passed.
Environment (please complete the following information):
Additional context
Bisected to prompt-toolkit/python-prompt-toolkit@c244354.
When you try myjwt MYJWT --print useless output send
Remove this useless output
myjwt MYJWT --print
Header: XXXXXXXXXXXXX
Payload: XXXXXXXXXXXXX
Signature: XXXXXXXXXXXXXXXXX
Header: XXXXXXXXXXXXX
Payload: XXXXXXXXXXXXX
Signature: XXXXXXXXXXXXXXXXX
new jwt: MYJWT
Describe the bug
The issue is that the setup.py is deploying the tests
folder under the root python path and not under this package one.
So it's end up under /usr/lib/python3.11/site-packages/tests
rather than /usr/lib/python3.11/site-packages/myjwt/tests
and so conflicts with other packages having the same issue.
Anyway usually test are not shipped in a release package so the easiest would just to remove them. Else they should be deployed in the children directory.
It's explained in ArchLinux packaging guidelines for Python: https://wiki.archlinux.org/title/Python_package_guidelines#Test_directory_in_site-package
jku header to bypass an authentication based on JWT
Build the header with the link to the place you're hosting your JWK file
myjwt MYJWT --jku
new JWT: JWT
When creating a token which uses a url fwd like ( x5u ):
Example: http://[email protected]/.well-known/ --file jwks_with_x5c.json
The data gets clipped and the token is not generated using the --file . You have to define it manually to make the token correct like below --
myjwt -p user=admin --x5u "http:/[email protected]/jwks_with_x5c.json" --file jwks_with_x5c --key private.pem --crt hacker.crt --print
If you have any questions just ping me. I cannot post the data here as i discovered it on an actual jwt x5u auth bypass challenge and it is exclusively stated to not share information.
Great frigging tool !!!!! Color coding would be amazing on output.
Thanks.
~!>d
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.