# limitations under the License.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jwttool
spec:
  selector:
    matchLabels:
      app: jwttool
  template:
    metadata:
      labels:
        app: jwttool
    spec:
      containers:
        - name: jwttool

	pods, err := t.Clusters().Default().PodsForSelector(context.TODO(), ns, "app="+jwtTool)
	if err != nil {
		t.Fatalf("failed to get jwttool pod: %v", err)
	}
	t.Logf("running jwttool fuzz test against the %s (should normally complete in 10 seconds)...", server)

	// Run the jwttool fuzz testing with "--mode at" to run all tests:
	// - JWT Attack Playbook
	// - Fuzz existing claims to force errors

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

HUB ?= "gcr.io/istio-testing/jwttool"
TAG ?= "0.1"

push: Dockerfile
	docker build . -t $(HUB):$(TAG)

FROM python:3

RUN git clone https://github.com/ticarpi/jwt_tool
WORKDIR /jwt_tool
COPY run.sh .
COPY jwtconf.ini .
COPY sample-RSA-private.pem .
COPY sample-RSA-public.pem .
RUN chmod +x ./run.sh && chmod +x jwt_tool.py && apt-get update && apt-get install --no-install-recommends -y python3-pip \
  && apt-get clean && rm -rf /var/lib/apt/lists/*
RUN python3 -m pip install --no-cache-dir termcolor==1.1.0 cprint==1.2.2 pycryptodomex==3.10.1 requests==2.25.1

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

./jwt_tool.py "$@"

# The jwt_tool.py always return non-zero exit code, overwrite to just return zero as the test code will check the report
# separately to determine if it has really failed.

        return toolSearchPath.locate(compilerType, toolRegistry.getTool(compilerType).getExecutable());
    }

    @Override
    protected Compiler<CppCompileSpec> createCppCompiler() {
        GccCommandLineToolConfigurationInternal cppCompilerTool = toolRegistry.getTool(ToolType.CPP_COMPILER);

// implementation. It is also used by tests.
//
// The default behavior (vetTool=="") runs 'go tool vet'.
var vetTool string // -vettool

func init() {
	work.AddBuildFlags(CmdVet, work.DefaultBuildFlags)
	CmdVet.Flag.StringVar(&vetTool, "vettool", "", "")
}

func parseVettoolFlag(args []string) {
	// Extract -vettool by ad hoc flag processing:
	// its value is needed even before we can declare

before each new Istio release and make sure all fuzz tests pass.

## Overview

![](overview.jpg)

The fuzz test uses specialized web vulnerability fuzzers ([jwt_tool](https://github.com/ticarpi/jwt_tool),
[dotdotpwn](https://github.com/wireghoul/dotdotpwn)) and [wfuzz](https://github.com/xmendez/wfuzz) to generate a

	defer span.Done()

	work.BuildInit()
	work.VetFlags = vetFlags
	if len(vetFlags) > 0 {
		work.VetExplicit = true
	}
	if vetTool != "" {
		var err error
		work.VetTool, err = filepath.Abs(vetTool)
		if err != nil {
			base.Fatalf("%v", err)
		}
	}

	pkgOpts := load.PackageOpts{ModResolveTests: true}
	pkgs := load.PackagesAndErrors(ctx, pkgOpts, pkgArgs)

jwksloc =
# Set this to the base URL of a Collaborator server, somewhere you can read live logs, a Request Bin etc.
httplistener =

[customising]
useragent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) jwt_tool

[input]
wordlist = jwt-common.txt
commonHeaders = common-headers.txt
commonPayloads = common-payloads.txt

[argvals]
# Set at runtime - changes here are ignored
sigType =
targetUrl =
cookies =