You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I like this idea, It's been a while since I've used jwt_tool but I'm not sure how much is possible offline...
In order to use the -M pb option in jwt_tool the parameters and endpoint would have to be known which might not necessarily be the case.
That being said even offline we can decode the JWT and check if it has any sensitive information inside and I would also like it to flag up tokens with a higher priority if they haven't expired
Description
Which feature would you like to see added to BBOT? What are its use cases?
https://github.com/ticarpi/jwt_tool
it would be cool to see if you could implement this module to scan for
(CVE-2015-2951) The alg=none signature-bypass vulnerability
(CVE-2016-10555) The RS/HS256 public key mismatch vulnerability
(CVE-2018-0114) Key injection vulnerability
(CVE-2019-20933/CVE-2020-28637) Blank password vulnerability
(CVE-2020-28042) Null signature vulnerability
currently the system can extract JWT tokens so if it was to run something like
python3 jwt_tool.py eyJxxxx -t https://www.example.com
it could then see if the JWT had anything fun inside or was vuln to an attackThe text was updated successfully, but these errors were encountered: