search

ticarpi / jwt_tool

:snake: A toolkit for testing, tweaking and cracking JSON Web Tokens
GNU General Public License v3.0
5.46k stars 670 forks source link

Nested Cookie values not working for tampering #27

Closed draco2003 closed 4 years ago

draco2003 commented 4 years ago

Selecting to modify the second element with an intention to modify the username causes an error

Please select an option from above (1-5):
> 2
[1] status = "success"
[2] data = JSON object:
    [+] id = true
    [+] username = ""

Results in:

(or 0 to Continue)
id
Traceback (most recent call last):
  File "jwt2_tool.py", line 1888, in <module>
    runActions()
  File "jwt2_tool.py", line 1590, in runActions
    tamperToken(paylDict, headDict, sig)
  File "jwt2_tool.py", line 370, in tamperToken
    newVal[subclaim] = paylDict[pair][subclaim]
TypeError: 'int' object is not subscriptable
ticarpi commented 4 years ago

Can you check what version you are running? The latest version (v2.0.1) seems to perform these actions fine for me.
Without your original token it's hard to be sure, but I mocked up a token that matches your payload claims and tested that.

$ python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6dHJ1ZSwidXNlcm5hbWUiOiIifX0.oRdM7Mk90vDkY23hKily8FrY3HahEI3gwl-uiRW56Ks -T

If you are on the latest version please share your token and I can debug further.

draco2003 commented 4 years ago

Running Version 2.0.1

Example token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiJ5b3lveW8iLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiJ1bmRlZmluZWQiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTEwLTI3VDE1OjE5OjI2Ljc3OVoiLCJ1cGRhdGVkQXQiOiIyMDIwLTEwLTI3VDE5OjM5OjAwLjQ3MloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MDM4Mjc1NDAsImV4cCI6MTYwMzg0NTU0MH0.b7icBjhcYFYXdsTo0JoD7QStjnIKgQUWzhYxii7sife6EHPvd3FPtm-9heh3ovSnZBFoAbdExWMz88Wa-I_sVBQx2tHeD0qxg4IR2KBXcZBo3O96se12aiUwtyr3JT0pTJsC3_ekgU7_qxO2as6AiH0dXJotNUHZYzMu4W2pT7o

Debug link: https://jwt.io/#debugger-io?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiJ5b3lveW8iLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiJ1bmRlZmluZWQiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTEwLTI3VDE1OjE5OjI2Ljc3OVoiLCJ1cGRhdGVkQXQiOiIyMDIwLTEwLTI3VDE5OjM5OjAwLjQ3MloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MDM4Mjc1NDAsImV4cCI6MTYwMzg0NTU0MH0.b7icBjhcYFYXdsTo0JoD7QStjnIKgQUWzhYxii7sife6EHPvd3FPtm-9heh3ovSnZBFoAbdExWMz88Wa-I_sVBQx2tHeD0qxg4IR2KBXcZBo3O96se12aiUwtyr3JT0pTJsC3_ekgU7_qxO2as6AiH0dXJotNUHZYzMu4W2pT7o

draco2003 commented 4 years ago

Don't worry it's not "real data" in the token, in case it looks scary with passwords, etc...

https://github.com/bkimminich/juice-shop

ticarpi commented 4 years ago

This should now be fixed in v2.0.2.
Let me know if the problem remains.

draco2003 commented 4 years ago

Works like a champ now. Thanks for the fix and great tool.