jjwt vs security-labs-pocs

jjwt

Java JWT: JSON Web Token for Java and Android (by jwtk)

Source Code

Suggest alternative

Edit details

security-labs-pocs

Proof of concept code for Datadog Security Labs referenced exploits. (by DataDog)

Suggest topics

Source Code

Suggest alternative

Edit details

Our great sponsors

WorkOS - The modern identity platform for B2B SaaS

InfluxDB - Power Real-Time Data Analytics at Scale

SaaSHub - Software Alternatives and Reviews

Our great sponsors

jjwt		security-labs-pocs
	Project
4	Mentions	9
9,847	Stars	412
1.4%	Growth	0.2%
8.3	Activity	5.0
about 21 hours ago	Latest Commit	7 months ago
Java	Language	C
Apache License 2.0	License	GNU General Public License v3.0 or later

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

jjwt

Posts with mentions or reviews of jjwt. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-01-17.

Java JWT: JSON Web Token for Java and Android
1 project | news.ycombinator.com | 4 Oct 2023
A simple to use Java 8 JWT Library. Verify, Sign, Encode, Decode all day.
5 projects | /r/java | 17 Jan 2023

How does this compare to JJWT?
Null ECDSA Signatures - Proof of concept for bypassing JWT signature checks using CVE-2022-21449
2 projects | /r/netsec | 21 Apr 2022

Note that this PoC uses DER signature which is accepted by the jjwt library as fallback (see https://github.com/jwtk/jjwt/blob/master/impl/src/main/java/io/jsonwebtoken/impl/crypto/EllipticCurveSignatureValidator.java ), but that is not a standard. Standard is JOSE format.
JWT authentication in Spring Security and Angular
3 projects | dev.to | 14 Sep 2020

There are many open-source JWT implementations available for all languages. In this blog post, we use Java jjwt library in this blog post.

security-labs-pocs

Posts with mentions or reviews of security-labs-pocs. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-04-21.

Python install for non IT staff
1 project | /r/cybersecurity_help | 26 Jan 2023

Also to your point, interpreted languages are not as reliably detected by AV/NGAV/EDR/etc. from my experience. You could inquire with your EDR's technical reps or try downloading/running some existing malware written in Python in a disposable VM with your EDR installed and see if it gets picked up. Here are some real-world examples you could use, too: https://github.com/DataDog/security-labs-pocs/tree/main/malware-samples/pypi
DataDog/security-labs-pocs: Proof of concept code for Datadog Security Labs referenced exploits. Now updated with a vulnerable environment to test out the new Confluence #CVE202226134 vulnerability. Handy.
1 project | /r/blueteamsec | 14 Jun 2022
GitHub - DataDog/security-labs-pocs: Proof of concept code for Datadog Security Labs referenced exploits.
1 project | /r/RedSec | 10 Jun 2022
Null ECDSA Signatures - Proof of concept for bypassing JWT signature checks using CVE-2022-21449
2 projects | /r/netsec | 21 Apr 2022
Exploitation and Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)
1 project | /r/RedSec | 21 Apr 2022

1 project | /r/websecurityresearch | 21 Apr 2022
CVE-2022-21449
5 projects | /r/java | 21 Apr 2022

Arch as well but the point about responsible disclosure is for the majority of users to have the patch before the vulnerability and POC are published. And I'd bet most Java web things are running on one of the unpatched builds (like Ubuntu with its 10 year LTS).
Exploitation and Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449) - not a real app, but fundament technique means it is only time
1 project | /r/blueteamsec | 21 Apr 2022
CVE-2022-21449: Psychic Signatures in Java
1 project | /r/netsec | 20 Apr 2022

For anyone looking to reproduce the vulnerability with a sample vulnerable application, my team just released this to showcase it applied to bypass a JWT verification process: https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/jwt-null-signature-vulnerable-app

What are some alternatives?

When comparing jjwt and security-labs-pocs you can also consider the following projects:

jwt-java - JSON Web Token implementation for Java according to RFC 7519. Easily create, parse and validate JSON Web Tokens using a fluent API.

corretto-17 - Amazon Corretto 17 is a no-cost, multi-platform, production-ready distribution of OpenJDK 17

Nimbus JOSE+JWT - JSON Web Token (JWT) implementation for Java with support for signatures (JWS), encryption (JWE) and web keys (JWK).

adoptium

Spring Security - Spring Security

Bouncy Castle - Bouncy Castle Java Distribution (Mirror)

Keycloak - Open Source Identity and Access Management For Modern Applications and Services

java-jwt-benchmark - Project for benchmarking popular Json Web Token (JWT) frameworks for Java using JMH.

owasp-zap-jwt-addon - OWASP ZAP addon for finding vulnerabilities in JWT Implementations

java-jwt - Java implementation of JSON Web Token (JWT)

Apache Shiro - Apache Shiro

jose-jwt - Ultimate Javascript Object Signing and Encryption (JOSE), JSON Web Token (JWT) and Json Web Keys (JWK) Implementation for .NET and .NET Core

jjwt vs jwt-java security-labs-pocs vs corretto-17 jjwt vs Nimbus JOSE+JWT security-labs-pocs vs adoptium jjwt vs Spring Security jjwt vs Bouncy Castle jjwt vs Keycloak jjwt vs java-jwt-benchmark jjwt vs owasp-zap-jwt-addon jjwt vs java-jwt jjwt vs Apache Shiro jjwt vs jose-jwt

Compare jjwt vs security-labs-pocs and see what are their differences.

jjwt

security-labs-pocs

jjwt

security-labs-pocs

What are some alternatives?