Json Web Token
JWT Anatomy
Composed of three parts separated by a dot (.)
Header.Payload.Signature
Header
Give information about the algorithm used to encrypt the signature and optionally the key used to sign the token.
Below are some others parameters that can be found in the JWT Header. Definitions are issued from the PortSwigger website.
jwk
(JSON Web Key) - Provides an embedded JSON object representing the key.
jku
(JSON Web Key Set URL) - Provides a URL from which servers can fetch a set of keys containing the correct key
kid
(Key ID) - Provides an ID that servers can use to identify the correct key in cases where there are multiple keys to choose from. Depending on the format of the key, this may have a matchingkid
parameter.
Payload
Information issued by the server. The expiration time, the time at which the token has been issued, the issuer, some information about the user, and the permissions are often part of the payload.
Signature
To make sure that the JWT is issued by a trusted source and has not been modified (integrity check). The signature is generated by encrypting the Base 64 encoded Header, Payload and Secret.
Regex to find JWT in proxy history
Resources
Incredible road map to perform common JWT attacks and testing
One of the best tool to identify and exploit JWT security flaws
When facing this error using the jwt_tool
, we can use the flag -np
to specify not to use any proxy.
Last updated