Comments (2)
I like this idea, It's been a while since I've used jwt_tool but I'm not sure how much is possible offline...
In order to use the -M pb
option in jwt_tool the parameters and endpoint would have to be known which might not necessarily be the case.
That being said even offline we can decode the JWT and check if it has any sensitive information inside and I would also like it to flag up tokens with a higher priority if they haven't expired
from bbot.
not sure how much is possible offline...
This is the main issue. In order to test most of these CVEs, you'd need to have:
- A legitimate JWT that you got from logging in (not just visiting the page)
- A way to send each of the crafted JWTs and analyze the server's responses to see whether it's vulnerable
Both of these are difficult to automate.
from bbot.
Related Issues (20)
- unstructured module (dev) doesn't work on arch HOT 5
- Run Tests on Multiple Linux Distros HOT 1
- Tool not moving on with no events in queue? HOT 5
- api key placeholders missing in fresh config HOT 1
- Ways to optimise memory usage? HOT 1
- Wayback misbehaving
- Presets: wait until .bake() to create target object HOT 1
- Merge parse_list_string() and chain_lists() HOT 1
- Fix Chicken-and-Egg Scenario with Targets HOT 1
- Optimize whitelists and blacklists to only consider hosts HOT 1
- Better tests for context discovery HOT 1
- Generic_SSRF tests sometimes fail
- Don't add subnets to whitelist + blacklist if their parent is already included HOT 1
- BBOT 2.0 URL Excavation TODOs HOT 2
- dnscommonsrv is slow on big targets HOT 1
- Dependencies fail to install in BBOT 2.0 HOT 2
- BBOT 2.0 multiprocessing oopsie
- Scan can't start (no module named baddns) HOT 6
- Better tests for portscan module
- Recursive decoding not working for STORAGE_BUCKETs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbot.