JWTJuggler (JOT JUGGLER): JWT & Authentication Testing Harness
Python-based testing harness designed for JWT authentication and authorization testing. Quick way to test and validate JWT implementations across various API endpoints.
- Dynamic User Authentication: Automates the process of obtaining JWTs for user credentials provided in a configuration file.
- Flexible Endpoint Testing: Supports testing with both absolute URLs and relative paths, configurable via a simple JSON file.
- Rich Output Formatting: Utilizes the Rich library to display detailed test results in a visually appealing table format, complete with color-coded user types.
- Output Options: Offers the ability to output test results in JSON or CSV format for further analysis or reporting.
- Proxy Support: Includes functionality for routing all requests through a specified proxy server.
Before using jwtjuggler, you need to configure it by specifying your test environment and credentials in a config.json
file. Here's an example of the configuration structure:
{
"user1": {
"username": "user1@example.com",
"password": "password123"
},
"user2": {
"username": "user2@example.com",
"password": "password456"
},
"login_endpoint": "http://localhost:8080/login",
"base_url": "http://localhost:8080",
"proxy": "http://your-proxy-server:port",
"endpoints_file": "endpoints.txt"
}
By default, the local config.json
will be read, so in many cases you won't need to specify the location (if you're running this from the cloned repo).
user1
anduser2
represent the credentials for the users you want to test.login_endpoint
specifies where the tool should send login requests to obtain JWTs.base_url
is used as the prefix for relative endpoint paths.proxy
(optional) allows specifying a proxy server for all requests.endpoints_file
is a text file listing all API endpoints to test, one per line. Endpoints can be specified as absolute URLs or relative paths.
To use jwtjuggler, run the script from the command line, optionally specifying the output format:
python3 jwtjuggler.py
For JSON or CSV output formats:
python3 jwtjuggler.py --output json
python3 jwtjuggler.py --output csv
Given the configuration above, jwtjuggler will attempt to login using the provided credentials, obtain JWTs, and then test each API endpoint specified in endpoints.txt
with and without authentication.
Assuming endpoints.txt
contains:
/workshop/api/mechanic/mechanic_report
/identity/api/v2/vehicle/{vehicleId}/location
The tool will test these endpoints and display results in the terminal. Here's how to interpret the output:
- Each row represents a request made to an endpoint.
- Columns show the endpoint, the user (User 1, User 2, or Unauthenticated), status code, content length, and content type.
- Color-coding: Authenticated user requests are displayed in their respective colors, and unauthenticated requests are red.
The default output is color-coded table displayed in the terminal. Here's an example of what you might see:
For JSON or CSV outputs, files will be generated in the current directory with the results of the test in the specified format.
- Autorize Project - Layout and original inspiration
- crAPI - Testing playground
- AI lol
Contributions to JWTJuggler are welcome! Please submit pull requests or open issues to suggest improvements or report bugs.