Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token encodings not removing base64 padding #29

Open
ram8537 opened this issue Jun 25, 2022 · 0 comments
Open

Token encodings not removing base64 padding #29

ram8537 opened this issue Jun 25, 2022 · 0 comments

Comments

@ram8537
Copy link

ram8537 commented Jun 25, 2022
edited

In payloads.go, when you encode the JWT after tampering with it, you encode with b64.StdEncoding.EncodeToString(). However, you should use base64.RawURLEncoding.EncodeToString(). The second method strips the padding from the base64 (i.e. the equals sign), which should not be present in the token as per the JWT guidelines (section 7).

For example, when I used the "payloads" method on this token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRheWxvciJ9.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po

The payload genertated for the alg:none exploit was:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJsb2dpbiI6InRheWxvciJ9.

The payload for "x5u host header injection (w/CRLF) payload" was:
eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vJTBkMGFIb3N0OiAiLCJ0eXAiOiJKV1QifQ==.eyJsb2dpbiI6InRheWxvciJ9.

Note the "=" sign padding in both examples.

Thank you for the tool!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ram8537