https://github.com/logan-elliott/jwtsploit-hmac-algswap-admin
Ruby script made to solve JWT attack challenge. Swaps algorithim in JWT header from RS256 to HS256 and swaps user value in JWT payload to admin. Verifies signature with public key file. Decodes JWT value and prints to standard output, also prints new JWT value for admin user.
https://github.com/logan-elliott/jwtsploit-hmac-algswap-admin
authentication hacking jwt pentesting ruby webapp
Last synced: 10 months ago
JSON representation
Ruby script made to solve JWT attack challenge. Swaps algorithim in JWT header from RS256 to HS256 and swaps user value in JWT payload to admin. Verifies signature with public key file. Decodes JWT value and prints to standard output, also prints new JWT value for admin user.
- Host: GitHub
- URL: https://github.com/logan-elliott/jwtsploit-hmac-algswap-admin
- Owner: Logan-Elliott
- Created: 2021-07-03T07:05:07.000Z (almost 5 years ago)
- Default Branch: main
- Last Pushed: 2021-07-03T07:27:34.000Z (almost 5 years ago)
- Last Synced: 2025-01-22T21:24:53.317Z (over 1 year ago)
- Topics: authentication, hacking, jwt, pentesting, ruby, webapp
- Language: Ruby
- Homepage:
- Size: 3.91 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# JWTSploit-HMAC-algSwap-admin
Ruby script made to solve JWT attack challenge. Swaps algorithim in JWT header from RS256 to HS256 and swaps user value in JWT payload to admin. Verifies signature with public key file. Decodes JWT value and prints to standard output, also prints new JWT value for admin user.
**To use change TOKEN value to the JWT of your test user, change value on line 16 to your test user, change public key file name to name of the public key file you are using to verify signature**
Use Curl or Burp to submit request with the generated admin JWT