gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-01-10 04:04:54 -08:00
Code Issues Packages Projects Releases Wiki Activity

Attacks details + Summary JWT + XXE adjustments

Browse Source
This commit is contained in:
Swissky
2018-11-26 00:25:06 +01:00
parent 928a454531
commit 521d61d956
4 changed files with 47 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
JSON Web Token/README.md
View File

@@ -2,6 +2,11 @@
> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
- JWT Format
- JWT Signature - None algorithm
- JWT Signature - RS256 to HS256
- Breaking JWT's secret
## JWT Format
JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)`
@@ -139,3 +144,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
- [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
- [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
- [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
- [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)