JSON Web Tokens (JWTs) are an open, industry standard method for representing claims securely between two parties. There are numerous implementations for JWT verification, but it looks like each author is testing his implementation on his own. It would be great if there was a tool or fuzzer to verify a given implementation is compliant to the standard and is secure. A starting point could be the RFC 7520 document that describes fuzz vectors and examples for fuzz testing.
Is there such a tool already?
Or people are testing JWT in another way?
1 Answer 1
I have released a Python 2/3 JWT Fuzzing Library: JWTFuzz https://github.com/workingset/jwtfuzz
It's not a full blown tool as you requested, but it can generate thousands fuzzed/unusual of JWTs based off a given sample. It will even sign them correctly if you give it the right private key.
The output can easily be fed into curl or any other custom tool that might help in testing the robustness of your JWT implementation or application that is using JWTs for authentication.