Json Web Tokens
Online Tools Web site: https://jwt.io/
python library used jwt // pip install pyjwt
JWT data structure
JWT head
JWT head portion is a descriptive metadata JWT JSON object, shown generally as follows.
{
"alg": "HS256",
"typ": "JWT"
}
In the above code, alg property represents a signature algorithm used by default for the HMAC SHA256 (written as HS256); typ property indicates the type of token, JWT token unified written as JWT.
Finally, use Base64 URL algorithm converts the JSON object to a string save.
3.2 Payload
Payload part, is the main content portion of JWT, is a JSON object contains data to be transmitted. JWT seven specified default field to choose from.
iss: Issuer
exp: expiration time
sub: Theme
aud: User
nbf: Previously unavailable
iat: Published
jti: JWT ID for identifying the JWT
In addition to the above default field, we can also customize the private fields, in the following example:
{
"sub": "1234567890",
"name": "chongchong",
"admin": true
}
Please note that, by default, JWT is unencrypted, anyone can interpret its contents, so do not build privacy information fields to store confidential information in order to prevent information leakage.
JSON objects also use Base64 URL algorithm into a string save.
3.3 Signature Hash
Signed hash signature data is part of the two parts above, generated by specifying the hash algorithm to ensure that data can not be tampered with.
First, you need to specify a password (secret). The password is stored in the server only, and can not be disclosed to the user. Then, using the header signature algorithm specified (by default HMAC SHA256) generating a signature in accordance with the following equation.
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret)
After calculating the signed hash, JWT head, three payload portion and signed hash are combined into a string, with each part "." Separated, JWT constitute the entire object.
4. JWT usage
JWT client receives returned by the server, or be in the Cookie stored in localStorage.
After that, the client will bring JWT in interaction with the server. If in the Cookie, it can automatically transmit memory, but does not cross-domain, so it is typically placed Header Authorization field of the HTTP request.
Authorization: Bearer
When the cross-domain, can also be placed in the data JWT body of the POST request.
Base64Url difference with the original Base64 is used by JWT
# Base64Url编码如下所示 from base64 import * def base64URLen(s): t0=b64encode(s) t1=t0.strip('=').replace('+','-').replace('/','_') return t1 def base64URLde(s): t0=s.replace('-','+').replace('_','/') t1=t0+'='*(4-len(t0)%4)%4 return b64decode(t1)
JWT loophole 1
Modify Signature Algorithm:
You can see the current JWT to alg algorithm HS256
Modify the JWT header alg is none // algorithm HS256 will change none
Modify payload username: guest for the username: admin
And forged payload username = admin
python generation payload
Gets flag