jwt_tool
jwt_tool copied to clipboard
ticarpi
Support for HTTP/2
Hi, are you thinking to add support for HTTP/2 reuqests? I was able to replace the protocol with a proxy but a native support would be great. Thanks
Interesting that if you go through Burp, you get an error about http/2 unknown protocol in jwt_tool (and a match and replace rule in Burp for the response is required to avoid the error), but if you run it without proxy it works fine without errors.
I got a different but partially similar error :shrug:
[+] Sending token
[ERROR] ProxyError - check proxy is up and not set to tamper with requests
HTTPSConnectionPool(host='www.ticarpi.com', port=443): Max retries exceeded with url: / (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5d1bdd3370>: Failed to establish a new connection: [Errno 111] Connection refused')))
This is one of @ticarpi 's own examples, python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -rh "Origin: null" -cv "Welcome" -M er, run on version 2.2.3, from a place in the network.
I'm not even sure HTTP/2 has anything to do with it. It was resolved by checking the services.proxy setting in the .ini file.
I think that's a different problem, just that for some reason it could not communicate with the proxy. Meanwhile I noticed there is an option in Burp to disable http/2 so even the original issue should be simple to solve
Hi all, thanks for your contributions. I have indeed been looking into enabling HTTP/2. It is worth mentioning that HTTP/2 is still not fully supported everywhere, and only works when both client and server support it, with most apps gracefully downgrading to HTTP/1.1 As @halfluke mentions HTTP/2 support can be disabled in Burp, so if you are using that you can mostly work around this issue.
That said we are seeing apps that do require it, so it is definitely on my roadmap to support it if possible.
The main thing stopping me is that jwt_tool uses the Requests library to send/receive HTTP requests. Requests does not support HTTP/2 and it seems it never will.
One possible solution is using hyper on top of Requests, however when testing this I found that this has a bug where it ignores Requests proxy settings, which messes everything up. hyper is also archived/EOL so I'm not keen on implementing that.
I'm currently looking into HTTPX - which is currently in beta. It provides HTTP/1.1 and HTTP/2 support and should be fine with proxying. Seems like the best solution, but requires a bit of work to port it in and a fair bit of testing to make sure it's a solid replacement for Requests here.
I'd welcome feedback!
I got a different but partially similar error 🤷
[+] Sending token [ERROR] ProxyError - check proxy is up and not set to tamper with requests HTTPSConnectionPool(host='www.ticarpi.com', port=443): Max retries exceeded with url: / (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5d1bdd3370>: Failed to establish a new connection: [Errno 111] Connection refused')))This is one of @ticarpi 's own examples,
python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -rh "Origin: null" -cv "Welcome" -M er, run on version 2.2.3, from a place in the network.I'm not even sure HTTP/2 has anything to do with it. It was resolved by checking the
services.proxysetting in the .ini file.
I have this problem too, any method to solve it?
check your jwtconf.ini:
[services]
jwt_tool_version = 2.2.5
# To disable the proxy option set this value to: False (no quotes). For Docker installations with a Windows host OS set this to: "host.docker.internal:8080"
proxy = 127.0.0.1:8080
Or start Burp and disable http/2
check your jwtconf.ini:
[services] jwt_tool_version = 2.2.5 # To disable the proxy option set this value to: False (no quotes). For Docker installations with a Windows host OS set this to: "host.docker.internal:8080" proxy = 127.0.0.1:8080Or start Burp and disable http/2
Hi Thanks for the reply. I have created a new file jwtconf.ini and pasted in all these. It still does not work. I don't have Burp, so I don't think it is related to it.
jwtconf.ini is created by jwt_tool on its first run. You just have to modify and set:
proxy = False
Hello there,
Sorry to barge in, There's an alternative now, that may come to be interesting. https://github.com/jawah/niquests
This is a drop-in-worthy replacement for Requests. That allows a painless transition and acquires modern capabilities. I can answer any of your concerns if you need me.
