Hi, I’m here to brig to your attention, my new tool. It’s command line interface to test security of JWTs. It covers all known CVEs affecting JSON Web Tokens. It supports all algorithms defined by the JWA standard. It also provides functionality to verify token, with a single key, or parsing a JWKS file to find the JWK used to verify (if there). You can also access subclaims, without other user interaction or have to pass json strings.
The release I’m linking to, provides also a deb package, that should be ok, but let me know if changes are needed.
The tool can be also installed via pip;
- python -m pip install jwtxploiter
Documentation is provided by the repository wiki