jwt-hack icon indicating copy to clipboard operation
jwt-hack copied to clipboard
verified publisher icon hahwul

Token encodings not removing base64 padding

Open ram8537 opened this issue 3 years ago • 0 comments

In payloads.go, when you encode the JWT after tampering with it, you encode with b64.StdEncoding.EncodeToString(). However, you should use base64.RawURLEncoding.EncodeToString(). The second method strips the padding from the base64 (i.e. the equals sign), which should not be present in the token as per the JWT guidelines (section 7).

For example, when I used the "payloads" method on this token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRheWxvciJ9.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po

The payload genertated for the alg:none exploit was: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJsb2dpbiI6InRheWxvciJ9.

The payload for "x5u host header injection (w/CRLF) payload" was: eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vJTBkMGFIb3N0OiAiLCJ0eXAiOiJKV1QifQ==.eyJsb2dpbiI6InRheWxvciJ9.

Note the "=" sign padding in both examples.

Thank you for the tool!

ram8537 avatar Jun 25 '22 02:06 ram8537