(original author): during a pen-test assignment I needed to test a JWT authorization mechanism against a MAC-vs-Signature attack but didn’t find any well working tools for that. I wrote a small python script that accepts a valid JWT, a JWKS path as well as a valid HTTP GET operation. It then performs the operation, outputs it’s results, receives the public key from JWKS, creates a new MAC-based token with that key and tries to call the original HTTP operation again. Hope you can use that for your pen-test assignments. hf, Andreas
- A Haunting School-Yard Memory: The 1970s Schoolboy Murders in Sydney, Australia
- Removing security sensors?