jwt-tool

The JWT to tinker with (no need to specify if in header/cookies)

--bareReturn TOKENS ONLY

--modeScanning mode: pb = playbook audit, er = fuzz existing claims to force errors, cc = fuzz common claims, at - All Tests!

--signSign the resulting token

--crackCrack key for an HMAC-SHA token

--queryQuery a token ID against the logfile to see the details of that request

--tamperTamper with the JWT contents

--cookiesRequest cookies to send with the forged HTTP request

--exploitExploit known vulnerabilities: a = alg:none, signature, b = blank password accepted in signature, s = spoof JWKS, k = key confusion (specify public key with -pk), i = inject inline JWKS

--headersRequest headers to send with the forged HTTP request (can be used multiple times for additional headers)

--noproxyDisable proxy for current request

--pubkeyPublic Key for Asymmetric crypto

--verboseWhen parsing and printing, produce (slightly more) verbose output

--jwksurlURL location where you can host a spoofed JWKS

--jwksfileJSON Web Key Store for Asymmetric crypto

--keyfileKeyfile for cracking (when signed with 'kid' attacks)

--postdataText string that contains all the data to be sent in a POST request

--privkeyPrivate Key for Asymmetric crypto

--targeturlTarget URL

--verifyVerify the RSA signature against a Public Key

--canaryvalueText string that appears in response for valid token (e.g. Welcome, ticarpi)

--headerclaimHeader claim to tamper with

--headervalueValue (or file containing values) to inject into tampered header claim

--injectclaimsInject new claims and update existing claims with new values

--payloadclaimPayload claim to tamper with

--payloadvalueValue (or file containing values) to inject into tampered payload claim

--dictDictionary file for cracking