In the recent post (https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code/), we presented a wallarm/jwt-secrets GitHub repository with a 340 JSON Web
Token secrets available publicly. Using this data, it's possible to check if you or your developers forgot to change default secrets or used a weak 3rd party library with it.Ā
However, the project was not stalled and nowadays we are happy to announce a huge update, which includes more than 1800 new JWT secrets grabbed from public sources like Google, GitHub, PasteBin, and others.Ā
To make the job of security auditors simple, we also decided to make a simple Burp extension that can check secrets that are automatically updated from our previous GitHub project. You can find this here: https://github.com/wallarm/jwt-heartbreaker Ā
The JWT-heartbreaker extension is available under the GPL license, which is based on the extension JSON Web Tokens (JWT4B). This project also has its own page on our blog, where we will post changes, new features announcements, and news.Ā
You can build it from the source code by following instructions found on GitHub or by downloading a precompiled JAR file from here: https://github.com/wallarm/jwt-heartbreaker/releases/download/0.1/jwt-heartbreaker-1.0-SNAPSHOT-jar-with-dependencies.jarĀ
We also applied it to the BApp Store, but the review process takes some time. Before the official placement, you have to install the JWT Heartbreaker extension manually in the "Extensions" tab in a Burp Suite:
Ā
After it loads, you can easily access the JWT Heartbreaker tab in your Burp control panel.
That's it! There is absolutely nothing else to configure. Just use your Burp as usual and check the vulnerabilities tab from time to time. The JWT heartbreaker will automatically find JWT tokens in all the proxied HTTP requests and check if any weak secrets are compatible with them.Ā
Lastly, we wish you a very productive bug hunting with the JWT heartbreaker extension. We are committed to updating the weak secrets database regularly, so don't forget to push the "Update" button occasionally.Ā
As usual, if you need to protect your API endpoints, whatever that maybe for you, from XMLRPC, SOAP, REST to GraphQL, gRPC and WebSockets, please consider Wallarm as the solution.Ā
Cheers!
TL;DR- AI deployment has outpaced AI governance. Most enterprises running AI on AWS cannot answer…
Editor's note: This article was originally published by Craig Riddell on LinkedIn. It has been…
The Model Context Protocol (MCP) is a de facto standard for providing structured access to…
As API and AI adoption grows across the Middle East, so do the expectations around…
Most organizations treating AI security as a model problem are defending the wrong layer. Security…
Your legal team just handed you a 400-page document and said "figure out compliance." The…