jwt_tool v2.2.7

jwt_tool v2.2.7
[+] Fixed Python 3.12 support (thanks @JJK96)
[+] Implemented (-r/--request) 'sqlmap style' request import mode (thanks @rbrown256)

jwt_tool v2.2.6

jwt_tool v2.2.6
[+] Fixed alg issue in prompt (thanks @jwutzke)
[+] Implemented a no-redirect option to avoid 301/302 ambiguous results (-nr/--no-redirect) (thanks @TheREK3R)
[+] Improved some JWKS/kid handling
[+] Fixed non-ASCII password issue on Playbook Scan
Bugfixes

jwt_tool v2.2.5

jwt_tool v2.2.4
[+] NEW Dockerfile
[+] Config and logs now moved to {HOME}/.jwt_tool to facilitate Docker builds and better file management

jwt_tool v2.2.4

jwt_tool v2.2.4
[+] NEW 'verbose' mode: read token in original context, base64-decoded (-v/--verbose)
[+] Bugfixes

jwt_tool v2.2.1

jwt_tool v2.2.1
[+] New scan test (re-signing of tokens with common passwords) in 'Playbook' scan mode (-M pb)
[+] Added new hard-coded secret from CVE-2020-1764 to jwt-common.txt
[+] Bugfixes

jwt_tool v2.2.0

jwt_tool v2.2.0
[+] NEW exploit: blank password in signature (-X b)
[+] NEW 'bare' mode: return only tokens to stdout - for using with upcoming integrations (-b)
[+] additional checks in 'Playbook' scan mode (-M pb)
[+] reordered help options to group similar options
[+] Bugfixes

jwt_tool v2.1.0

jwt_tool v2.1.0

[+] NEW exploit: null signature (-X n)
[+] NEW scanner mode: Inject Common Claims (-M cc)
[+] additional checks in 'Playbook' scan mode (-M pb)
[+] multiple custom headers now supported (-rh)
[+] reflective JWKS URL created automatically in config file - for JKU/Spoof JWKS attacks (-X s)
[+] checks added for old/incompatible config files
[+] report on long HTTP response times
[+] Bugfixes

jwt_tool v2.0.2

jwt_tool v2.0.2 - MAJOR NEW VERSION

MAJOR REWRITE: lots more capabilities and new commandline arguments/flags - docs written and guides published
[+] Send tokens directly to the web application from jwt_tool, and proxy through existing tools (Burp, ZAP, etc.)
[+] ALL NEW SCANNING MODE!:

• Scan for common vulnerabilities from the JWT Attack Playbook
• Test for error conditions by forcing invalid content-types in claims
• Test for unused valid claims by injection
  [+] Customise your default options in the config file
  [+] Built-in dictionaries and assistive lists to find bugs and misconfigurations
  [+] Logging enabled for all tokens, allowing audit, review and re-tampering of successful requests
  [+] Inject token claims and values on-the-fly across all modes, fuzz values from lists, and bruteforce accepted values

(This release - v2.0 [incorporating bugfixes from v2.0.1 and v2.0.2])

jwt_tool v1.3.5

jwt_tool v1.3.5 - improved reading of nested JSON in claims

[+] Enabled reading of multiple-level nesting of JSON objects in claims (thanks @frani @fredsibcald @ASoggySandal)
Fixed function names and text referencing 'key length' where it should have been 'hash length' (thanks @floyd-fuh)

jwt_tool v1.3.4

jwt_tool v1.3.4 - improved tampering to allow all JSON objects and types

[+] Updated Tamper mode to allow users to input all JSON data types when editing or creating new claims
- To specify a new JSON object just create a new empty object with curly braces: {}
- To create a JSON array add it in directly: ['item1','item2']
[+] General streamlining and bug squashing