Scanning modes don't work with JWT already containing a "jku" header #90

h49nakxs · 2023-01-15T15:55:30Z

Hello,

Thanks for your great tool, really handy to test JWT 👍

Just want to report a small issue. The scanning modes "-M pb" and "-M at" don't work with a JWT in which there's already a "jku" header.

The problem lies starting 1432 :

    try:
        origjku = headDict["jku"]
    except:
        origjku = False
        if config['services']['jwksloc']:
            jku = config['services']['jwksloc']
        else:
            jku = config['services']['jwksdynamic']
    newContents, newSig = exportJWKS(jku)
    jwtOut(newContents+"."+newSig, "Exploit: Spoof JWKS (-X s)", "Signed with JWKS at "+jku)

The variable "jku" is never set if there's already a "jku" header inside the token, thus the program throws an error.

The text was updated successfully, but these errors were encountered:

I belive this addresses the problem described in issue ticarpi#90. To reproduce the undefined var in line it I had to run in the scan mode "-M at" and you need a JWT that defines "jku" field. In that case the try block before succeds. That lead to the "jku" variable never to be defined.

disasmwinnie mentioned this issue Apr 1, 2024

Fix intendation/scope for block responsible of jku-var exchange. #105

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scanning modes don't work with JWT already containing a "jku" header #90

Scanning modes don't work with JWT already containing a "jku" header #90

h49nakxs commented Jan 15, 2023

Scanning modes don't work with JWT already containing a "jku" header #90

Scanning modes don't work with JWT already containing a "jku" header #90

Comments

h49nakxs commented Jan 15, 2023