jwt_tool v2.3.0

jwt_tool v2.3.0
[+] NEW exploit: ECDSA Psychic Signature (CVE-2022-21449) (-X p)
[+] Rate limiting now implemented as requests per minute (e.g. -rt 10/--rate 10) (Thanks @Molx32)
[+] Updated common secrets dictionary (Thanks @random-robbie)
[+] Bugfixes (Thanks @rbrown256 and @sullo)

jwt_tool v2.2.7

jwt_tool v2.2.7
[+] Fixed Python 3.12 support (thanks @JJK96)
[+] Implemented (-r/--request) 'sqlmap style' request import mode (thanks @rbrown256)

jwt_tool v2.2.6

jwt_tool v2.2.6
[+] Fixed alg issue in prompt (thanks @jwutzke)
[+] Implemented a no-redirect option to avoid 301/302 ambiguous results (-nr/--no-redirect) (thanks @TheREK3R)
[+] Improved some JWKS/kid handling
[+] Fixed non-ASCII password issue on Playbook Scan
Bugfixes

jwt_tool v2.2.5

jwt_tool v2.2.4
[+] NEW Dockerfile
[+] Config and logs now moved to {HOME}/.jwt_tool to facilitate Docker builds and better file management

jwt_tool v2.2.4

jwt_tool v2.2.4
[+] NEW 'verbose' mode: read token in original context, base64-decoded (-v/--verbose)
[+] Bugfixes

jwt_tool v2.2.1

jwt_tool v2.2.1
[+] New scan test (re-signing of tokens with common passwords) in 'Playbook' scan mode (-M pb)
[+] Added new hard-coded secret from CVE-2020-1764 to jwt-common.txt
[+] Bugfixes

jwt_tool v2.2.0

jwt_tool v2.2.0
[+] NEW exploit: blank password in signature (-X b)
[+] NEW 'bare' mode: return only tokens to stdout - for using with upcoming integrations (-b)
[+] additional checks in 'Playbook' scan mode (-M pb)
[+] reordered help options to group similar options
[+] Bugfixes

jwt_tool v2.1.0

jwt_tool v2.1.0

[+] NEW exploit: null signature (-X n)
[+] NEW scanner mode: Inject Common Claims (-M cc)
[+] additional checks in 'Playbook' scan mode (-M pb)
[+] multiple custom headers now supported (-rh)
[+] reflective JWKS URL created automatically in config file - for JKU/Spoof JWKS attacks (-X s)
[+] checks added for old/incompatible config files
[+] report on long HTTP response times
[+] Bugfixes

jwt_tool v2.0.2

jwt_tool v2.0.2 - MAJOR NEW VERSION

MAJOR REWRITE: lots more capabilities and new commandline arguments/flags - docs written and guides published
[+] Send tokens directly to the web application from jwt_tool, and proxy through existing tools (Burp, ZAP, etc.)
[+] ALL NEW SCANNING MODE!:

• Scan for common vulnerabilities from the JWT Attack Playbook
• Test for error conditions by forcing invalid content-types in claims
• Test for unused valid claims by injection
  [+] Customise your default options in the config file
  [+] Built-in dictionaries and assistive lists to find bugs and misconfigurations
  [+] Logging enabled for all tokens, allowing audit, review and re-tampering of successful requests
  [+] Inject token claims and values on-the-fly across all modes, fuzz values from lists, and bruteforce accepted values

(This release - v2.0 [incorporating bugfixes from v2.0.1 and v2.0.2])

jwt_tool v1.3.5

jwt_tool v1.3.5 - improved reading of nested JSON in claims

[+] Enabled reading of multiple-level nesting of JSON objects in claims (thanks @frani @fredsibcald @ASoggySandal)
Fixed function names and text referencing 'key length' where it should have been 'hash length' (thanks @floyd-fuh)