JWT: python script that performs a MAC-vs-Signature attack (retrieves public key through JWKS)

(original author): during a pen-test assignment I needed to test a JWT authorization mechanism against a MAC-vs-Signature attack but didn’t find any well working tools for that. I wrote a small python script that accepts a valid JWT, a JWKS path as well as a valid HTTP GET operation. It then performs the operation, outputs it’s results, receives the public key from JWKS, creates a new MAC-based token with that key and tries to call the original HTTP operation again. Hope you can use that for your pen-test assignments. hf, Andreas


Leave a Reply