Tooling

Crypto & TLS Testing

testssl.sh, sslyze, jwt_tool — auditing TLS, JWTs, and weak crypto in the wild.

The boring-but-important part of security: is your TLS configured correctly, are your JWTs not signed with none, are your cert chains complete? For dev-side JWT libraries see Crypto & JWT. For PKI / cert mgmt see PKI & Cert Management. For password / hash cracking see Password Cracking.

TLS / SSL configuration audit

  • ★ ★ testssl.sh — bash; thorough TLS audit; cipher suites, certificate, vulns (Heartbleed, ROBOT, BEAST, POODLE, CRIME, BREACH, Logjam, FREAK), SNI, OCSP. Single binary, no install. Free.
  • sslyze — Python; faster, machine-readable; great for CI. Free.
  • Qualys SSL Labshttps://www.ssllabs.com/ssltest/ — free hosted scan; A/A+ grading; web only.
  • CryptCheck — free hosted; covers HTTPS / SMTP / IMAP / XMPP.
  • Hardenize — multi-protocol audit; free.
  • Nmap NSE--script ssl-enum-ciphers,ssl-cert,ssl-dh-params,ssl-known-key; great for batch scanning many hosts.
  • Caddy / Lego / acme.sh — for getting a proper cert in the first place; see PKI & Cert Management.

Cert handling

  • OpenSSL CLI — the universal swiss-army; openssl s_client -connect, openssl x509 -text, openssl req, etc.
  • mkcert — local-CA tool for dev; cleanly trusted by browsers.
  • certbot / lego / acme.sh — Let's Encrypt clients.
  • smallstep CLI (step) — modern PKI; great for internal CA + ACME.
  • CFSSL (Cloudflare) — internal PKI tooling.

TLS Mutual / mTLS

  • See PKI & Cert Management — smallstep / Vault / cert-manager.
  • mtlscan / smtlscan — niche audit tools.

JWT auditing

  • jwt_tool (ticarpi) — JWT swiss-army: decode, alg-confusion (none, HS256→RS256), kid traversal, blank-signature, weak-secret brute. Free.
  • jwt-cracker (Pythonic / Node) — HS256 secret recovery against a weak secret list.
  • John the Ripper jwt mode — see Password Cracking.
  • Hashcat 16500 — JWT HS256 mode.
  • jwt.io — interactive decoder (paste tokens; remember they leak through the browser).
  • Burp JWT Editor — Burp Pro extension; the standard hands-on tool. See Web App Testing.

Common JWT issues to test for

  • alg: none accepted.
  • ★ HS256 ↔ RS256 algorithm-confusion (signing with the public key).
  • Weak HS256 secret (< 16 bytes / dictionary).
  • kid parameter SQLi / path traversal.
  • jku / x5u header attacks (server fetches your URL).
  • Missing exp / iss / aud checks.
  • Replay (no jti tracking).
  • Algorithm not pinned server-side.

Password / KDF testing

  • Hashcat / John the Ripper — see Password Cracking.
  • scrypt-Bench / argon2-cli — verify your KDF parameters are tuned reasonably (target ≥ 250 ms on prod hardware).
  • HIBP API / Pwned-Passwords — see Bot Protection for breached-password lists.

Crypto-API anti-pattern hunters

  • CodeQL queries for "AES ECB mode," "MD5 / SHA1 in security context," "static IV." See Security Scanning.
  • Semgrep crypto pack — community rules.
  • CryptoREPL / crypto-attacks repo — for learning.

Common implementation pitfalls

  • AES-ECB used anywhere — never appropriate.
  • CBC without HMAC — use AES-GCM or chacha20-poly1305.
  • Static IV / nonce reuse — catastrophic in GCM / CTR.
  • MD5 / SHA1 for security — broken; use SHA-256 / SHA-3.
  • Roll-your-own crypto — almost always wrong.
  • Constant-time comparisonscrypto.timingSafeEqual (Node), subtle (browser), hmac.compare_digest (Python).
  • PBKDF2 with too-low rounds — should be ≥ 600k for SHA-256 in 2026.

RSA / classical attacks

  • RsaCtfTool — Wiener, Fermat, common-modulus, low-public-exponent. See CTF Tools.
  • featherduster — automated classical crypto.
  • sage / pycryptodome / gmpy2 — number theory glue.

TLS-side test infrastructure

  • mitmproxy — see Web App Testing.
  • Caddy + automatic-HTTPS — used in lab to terminate TLS quickly.
  • bettercap / ssldump — packet inspection.
  • DNS RPZ / DoH / DoT testing — see DNS Infrastructure.

Pick this if…

  • Default TLS audit (single binary, free): testssl.sh.
  • CI-friendly TLS audit: sslyze.
  • Free hosted A/A+ check: Qualys SSL Labs.
  • JWT testing: jwt_tool + Burp JWT Editor extension.
  • JWT secret cracking: Hashcat 16500.
  • Internal PKI: smallstep + ACME.
  • Hash strength check: Hashcat / John on representative samples.

On this page